{
	"id": "25ffd7e4-f58b-4995-9d73-b48fc729e762",
	"created_at": "2026-04-06T00:08:40.324169Z",
	"updated_at": "2026-04-10T03:32:21.254775Z",
	"deleted_at": null,
	"sha1_hash": "dd5a7f4fe927af91da84fdcb4d2d485b493016fc",
	"title": "Rule Info Winnti_APT_Hdump_Tool - Valhalla",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41393,
	"plain_text": "Rule Info Winnti_APT_Hdump_Tool - Valhalla\r\nArchived: 2026-04-05 16:15:09 UTC\r\nName\r\nWinnti_APT_Hdump_Tool\r\nDescription\r\nPassword dumper used by Winnti group - file pn.exe\r\nReference\r\nInternal Research\r\nRule Hash\r\nb7bc4234f427f855d3ef2a2bcf743735\r\nTags\r\n['FILE', 'EXE', 'G0044', 'T1003', 'APT', 'CHINA']\r\nAntivirus Verdicts\r\nMalicious (\u003e= 10 engines)\r\n5\r\nSuspicious (\u003c 10 engines)\r\n3\r\nRule Matches\r\nhttps://valhalla.nextron-systems.com/info/rule/Winnti_APT_Hdump_Tool\r\nPage 1 of 3\n\nTimestamp\r\nPositives\r\nTotal\r\nHash\r\nVT\r\n2025-06-25 19:34:32\r\n33\r\n72\r\n85eada3b4af6e9bd6ee17a068bb6d74717ad1f541d1a5eef09d74557abdbf778\r\n2024-05-23 04:38:23\r\n8\r\n74\r\ncf5739ac59dac84d94aa95123a18ed0cdeb58fbd3a42645580485808f6692a59\r\n2024-03-16 01:05:11\r\n4\r\n71\r\n48bdb774ad21b97a9a09f1ba3ba2daac5b6b5d765e7ac6324e485ab7312e99a0\r\n2023-05-16 04:12:48\r\n29\r\n70\r\n3fc6b07ab22dc5c7732b491418ca395dbe819423bda2b61b946013278a41df54\r\n2023-02-21 19:44:47\r\n17\r\n70\r\n64ab1c1b19682026900d060b969ab3c3ab860988733b7e7bf3ba78a4ea0340b9\r\n2023-02-17 16:45:23\r\nhttps://valhalla.nextron-systems.com/info/rule/Winnti_APT_Hdump_Tool\r\nPage 2 of 3\n\n6\r\n69\r\nb4f2dd50bf5a65a71b89d490fc5e83aa60af5d4f62f451b7b5de58d152c838d6\r\n2021-11-09 07:44:38\r\n10\r\n62\r\nc17eda56d9a48bcb1beb20f47065da93c765dcb29b4f7f389d172f50292d0e4d\r\n2021-04-11 11:11:34\r\n27\r\n70\r\n724d0be8e7a56efca098e6e93aa8604b0df2b41a8a1569d9872bf9a043520f68\r\nSource: https://valhalla.nextron-systems.com/info/rule/Winnti_APT_Hdump_Tool\r\nhttps://valhalla.nextron-systems.com/info/rule/Winnti_APT_Hdump_Tool\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://valhalla.nextron-systems.com/info/rule/Winnti_APT_Hdump_Tool"
	],
	"report_names": [
		"Winnti_APT_Hdump_Tool"
	],
	"threat_actors": [
		{
			"id": "5bbced13-72f7-40dc-8c41-dcce75bf885e",
			"created_at": "2022-10-25T15:50:23.695735Z",
			"updated_at": "2026-04-10T02:00:05.335976Z",
			"deleted_at": null,
			"main_name": "Winnti Group",
			"aliases": [
				"Winnti Group"
			],
			"source_name": "MITRE:Winnti Group",
			"tools": [
				"PipeMon",
				"Winnti for Windows",
				"PlugX"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "945a572f-ebe3-4e2f-a288-512fe751cfa8",
			"created_at": "2022-10-25T16:07:24.413971Z",
			"updated_at": "2026-04-10T02:00:04.97924Z",
			"deleted_at": null,
			"main_name": "Winnti Group",
			"aliases": [
				"G0044",
				"Leopard Typhoon",
				"Wicked Panda",
				"Winnti Group"
			],
			"source_name": "ETDA:Winnti Group",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"FunnySwitch",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434120,
	"ts_updated_at": 1775791941,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd5a7f4fe927af91da84fdcb4d2d485b493016fc.pdf",
		"text": "https://archive.orkl.eu/dd5a7f4fe927af91da84fdcb4d2d485b493016fc.txt",
		"img": "https://archive.orkl.eu/dd5a7f4fe927af91da84fdcb4d2d485b493016fc.jpg"
	}
}