{ "id": "c924a00f-e7d3-448a-a1e4-ef6419759485", "created_at": "2026-04-06T00:07:50.371591Z", "updated_at": "2026-04-10T03:37:09.05774Z", "deleted_at": null, "sha1_hash": "f3d66970d8f21208054f0c03df0f65421c9c95db", "title": "AgentTesla Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 852504, "plain_text": "AgentTesla Malware\r\nBy Malwares\r\nPublished: 2021-04-04 · Archived: 2026-04-05 13:11:32 UTC\r\nThe following table contains list of artifacts that had been analyzed within this document.\r\nAgent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user\r\ninteractions. It is falsely marketed as legitimate software on the dedicated website where this malware is sold.\r\nCode of malware is packed, so after unpacking it you should see only these sections as shown in figure below.\r\nBut that’s not actual code, actual code resolved during runtime of malware as shown in figure below.\r\nIt resolves QWzgdyIDcJlMs during runtime and code will be around 25k lines of code as shown in figure below.\r\nIt checks for the operating system as shown and gets a hash of the current domain in figure below.\r\nIt gets the hostname, processor type, name of current user as shown on figures below.\r\nIt enumerates network adapter configuration as shown in figure below.\r\nIt gets the mac address of the machine as shown in figure below.\r\nEnumeration functions in folder path \"C:\\\\Users\\\\Mahmoud_El_Menshawy\\\\AppData\\\\Local”, used for stealing browsers\r\ncaches, passwords, profiles etc... As shown in figure below.\r\nstealing browsers caches, passwords, profiles etc... As shown in figure below.\r\n[DebuggerHidden] #\r\nIt hides debugging for editing browser state.\r\nEmbedded http request\r\nhttps://api.telegram.org/bot%telegramapi%/.\r\nhttps://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip\". # Tor browser.\r\nEnumeration and other important Functions\r\nhttps://menshaway.blogspot.com/2021/04/agenttesla-malware.html\r\nPage 1 of 9\n\nEnumProcessModules.\r\nGetWindowThreadProcessId.\r\nGetModuleFileNameEx.\r\nDecryption of  all Configurations\r\nAll configurations depends on big array called \u003c\u003cEMPTY_NAME\u003e\u003e\r\nLet’s go in depth of code.\r\nLet’s go to the function Bx().\r\nThen. \u003c\u003cEMPTY_NAME\u003e\u003e.\r\n\u003c\u003cEMPTY_NAME\u003e\u003e is an array of bytes.\r\nhttps://menshaway.blogspot.com/2021/04/agenttesla-malware.html\r\nPage 2 of 9\n\nWhen I did more research I found reference to this array as shown in figure below.\r\nSo \u003c\u003cEMPTY_NAME\u003e\u003e is really big array around more than 11k line\r\nSo it gets each element of the big array then XOR with itself then XOR with value 170 and save it to array.\r\n\u003c\u003cEMPTY_NAME\u003e\u003e (overwrite array with new value) as shown in figure below.\r\nSo let’s see big array\r\n{153,158,154,153,215,214,213,212,143,238,237,140,194,195,132,237,242,129,213,212,132,204,207,196,203,202,201,238,251,250,235,209,238,212,192,\r\nSo the value of (byte.MaxValue) will be 255 as shown in figure below.\r\nSo at this point everything is okay but only problem is string called \r\n,\"Notshowingallelementsbecausethisarrayistoobig(11846elements)\" At the end of array.\r\nSo that means we don’t have all values of bytes of array which means we can’t reverse the array to get string\r\n\u003c\u003cEMPTY_NAME\u003e\u003e which will be resolved after finishing the loop.\r\nI tried to create array of bytes but it display error called “cannot implicitly convert type string to byte”\r\nThat’s mean we don’t have complete elements of array\r\n \r\nSo I removed string,\"Notshowingallelementsbecausethisarrayistoobig(11846elements)\".\r\nhttps://menshaway.blogspot.com/2021/04/agenttesla-malware.html\r\nPage 3 of 9\n\nLet’s see decryption function of malware and how to get host\r\nThat’s the beginning of the SMTP function.\r\nSo class call function Bx() as shown in figure below.\r\nIf we go through Bx() we see this code.\r\nSo it pushes an array called \u003c\u003cEMPTY_NAME\u003e\u003e with parameters (151, 1888, 25) and the return value will save at an array\r\ncalled \u003c\u003cEMPTY_NAME\u003e\u003e [151].\r\n\u003c\u003cEMPTY_NAME\u003e\u003e with parameters (151, 1888, 25)\r\n151 =\u003e refers to the save position of the first array.\r\n1888 =\u003e starting counting position of big array which was already mentioned at the beginning of report.\r\n25 =\u003e counting.\r\nSo that means it starts from the position of array 1888 until 1913.\r\nSo length of host name will be 25\r\nSo let’s go inside \u003c\u003cEMPTY_NAME\u003e\u003e\r\nEMPTY_NAME\u003e\u003e with parameters (151, 1888, 25)\r\nNum =\u003e 151, index =\u003e 1888, count =\u003e 25.\r\nSo num2 =0.\r\nSo we hit if condition if (num2 ==0){num2 =1}\r\nSo value of num2 will be 1\r\nhttps://menshaway.blogspot.com/2021/04/agenttesla-malware.html\r\nPage 4 of 9\n\nIf value of num2 = 4 exit while loop otherwise continue looping\r\nValue of num2 = 1.\r\nSo we hit condition\r\nIf (num2 == 1) {num2 =2}\r\nSo value of num2 will be 2\r\nThen continue looping because num2! = 4.\r\nSo we hit condition\r\nIf (num2 == 2)\r\n{\r\n@string = Encoding.UTF8.GetString(97085277-F30F-47FA-9C3D-82DA9E6730B4.\u003c\u003cEMPTY_NAME\u003e\u003e, index, count);\r\nnum2 = 3;\r\n}\r\nSo it pushes big array and gets string (host) based on specific parameters.\r\n\u003c\u003cEMPTY_NAME\u003e\u003e, index, count)\r\nIndex =\u003e 1888, count =\u003e 25.\r\n And save value in @string.\r\nSo value will be =\u003e  mail.totallyanonymous.com.\r\n Same thing for credentials username will be at function Bw(), and password will be at function BX());\r\nBw()=\u003e Username\r\nIf we apply the same technique we get the result honebots@totallyanonymous.com.\r\nSame technique for password.\r\nBX() =\u003e Password\r\nResult =\u003e 572h094S.\r\nSame technique for Mail address to.\r\nhttps://menshaway.blogspot.com/2021/04/agenttesla-malware.html\r\nPage 5 of 9\n\nResults =\u003e marhmelo@rape.lol.\r\nSo at this point I noticed that the class called 97085277-F30F-47FA-9C3D-82DA9E6730B4 includes all configurations so I\r\ndecided to decrypt all big arrays.\r\nSo I write .net code as shown in figure to decrypt all content of the array.\r\nI just got the length of the array which will be 9998.\r\nMy code\r\n//Decryption AgentTesla configurations\r\n// Author : Mahmoud ElMenshawy\r\nusing System;\r\nusing System.Text;\r\npublic class Program\r\n{\r\n            public static void Main()\r\n            {\r\n                        string @host;\r\n                        string @to;\r\n                        string @from;\r\n                        string @password;\r\n                        string @content;\r\n                        byte[] array =\r\n{153,158,154,153,215,214,213,212,143,238,237,140,194,195,132,237,242,129,213,212,132,204,207,196,203,202,201,238,251,250,235,209,238,212,192,\r\nfor(int i = 0; i \u003c array.Length; i++)\r\n                                    array[i] = (byte)((int)array[i] ^ i ^ 170);\r\n                        @host = Encoding.UTF8.GetString(array,1888,25);\r\n                        @to = Encoding.UTF8.GetString(array,1913,17);\r\n                        @from = Encoding.UTF8.GetString(array,1851,29);\r\n                        @password = Encoding.UTF8.GetString(array,1880,8);\r\n                        @content = Encoding.UTF8.GetString(array,1,9998);\r\n                        Console.Write(\"Host name: \");\r\n                        Console.WriteLine(@host);\r\n                        Console.Write(\"To: \");\r\n                        Console.WriteLine(@to);\r\n                        Console.Write(\"From: \");\r\n                        Console.WriteLine(@from);\r\n                        Console.Write(\"Password: \");\r\n                        Console.WriteLine(@password);\r\nhttps://menshaway.blogspot.com/2021/04/agenttesla-malware.html\r\nPage 6 of 9\n\nConsole.WriteLine(\"\");\n Console.WriteLine(\"Content of array: \");\n Console.WriteLine(@content);\n }\n}\nResult of code\nHost name: mail.totallyanonymous.com\nTo: marhmelo@rape.lol\nFrom: honebots@totallyanonymous.com\nPassword: 572h094S\nContent of array:\n520yyyy-MM-dd HH:mm:ssyyyy_MM_dd_HH_mm_ss\n\n---\nObjectLengthChainingModeGCMAuthTagLengthChainingModeKeyDataBlobAESMicrosoft Primitive\nProviderCONNECTIONKEEP-ALIVEPROXY-AUTHENTICATEPROXY-AUTHORIZATIONTETRAILERTRANSFER-ENCODINGUPGRADE%startupfolder%\\%insfolder%\\%insname%/\\%insfolder%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run%insregname%SOF\n(Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0OKhttp://XZYpUW.com\\MamSELECT * FROM\nWin32_ProcessorName MBUnknownCOCO_-_.zip yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.htmlLogtext/html[]Time:\nMM/dd/yyyy HH:mm:ssUser Name: Computer Name: OSFullName: CPU: RAM: IP Address: New Recovered!User Name:\nOSFullNameuninstallSoftware\\Microsoft\\Windows\nNT\\CurrentVersion\\WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera\nBrowserOpera Software\\Opera StableYandex BrowserYandex\\YandexBrowser\\User DataIridium BrowserIridium\\User\nDataChromiumChromium\\User Data7Star7Star\\7Star\\User DataTorch BrowserTorch\\User DataCool\nNovoMapleStudio\\ChromePlus\\User DataKometaKometa\\User DataAmigoAmigo\\User DataBraveBraveSoftware\\Brave-Browser\\User DataCentBrowserCentBrowser\\User DataChedotChedot\\User DataOrbitumOrbitum\\User\nDataSputnikSputnik\\Sputnik\\User DataComodo DragonComodo\\Dragon\\User DataVivaldiVivaldi\\User\nDataCitrioCatalinaGroup\\Citrio\\User Data360 Browser360Chrome\\Chrome\\User DataUranuCozMedia\\Uran\\User\nDataLiebao Browserliebao\\User DataElements BrowserElements Browser\\User DataEpic PrivacyEpic Privacy\nBrowser\\User DataCoccocCocCoc\\Browser\\User DataSleipnir 6Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewerQIP\nSurfQIP Surf\\User DataCoowonCoowon\\Coowon\\User\nData,\"URL:Username:Password:Application:PWPW_honebots@totallyanonymous.com572h094Smail.totallyanonymous.commarhmelo@rape.lolimage/j\nf \\Data\\Tor\\torrcp=%PostURL%127.0.0.1POST+%2Bapplication/x-www-form-urlencoded\u0026\u0026amp;\n\u003c\u003c\u003e\u003e\"Copied Text: **[** **]** ()False{BACK}{ALT+TAB}{ALT+F4}{TAB}{ESC}{Win}{CAPSLOCK}↑↓←→{DEL}{END}{HOME}{Insert}{NumLock}{PageDown}{PageUp}{ENTER}{F1}{F2}{F3}{F4}{F5}{F6}{F7}{F8}{F9}{F10}{F11}{F12}control{CTRL}\nWindows\nRDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\\WScript.ShellRegReadg401\n502\n500 Addchat_id%chatid%captionhttps://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------\nx\n--\nmultipart/form-data; boundary=Content-Disposition: form-data; name=\"{0}\"\n{1}Content-Disposition: form-data; name=\"{0}\"; filename=\"{1}\"\nContent-Type: {2}\nhttps://menshaway.blogspot.com/2021/04/agenttesla-malware.html\nPage 7 of 9\n\n--\r\nCookiesOperaChrome\\Google\\Chrome\\User Data\\360Chrome\\Chrome\\User DataYandexSRWare IronBrave\r\nBrowser\\Iridium\\User DataCoolNovoEpic Privacy BrowserCocCocQQ BrowserTencent\\QQBrowser\\User DataUC\r\nBrowserUCBrowser\\uCozMediacookies.sqliteFirefoxAPPDATA\\Mozilla\\Firefox\\IceCat\\Mozilla\\icecat\\PaleMoon\\Moonchild\r\nProductions\\Pale Moon\\SeaMonkey\\Mozilla\\SeaMonkey\\Flock\\Flock\\Browser\\K-Meleon\\K-Meleon\\Postbox\\Postbox\\Thunderbird\\Thunderbird\\IceDragon\\Comodo\\IceDragon\\WaterFox\\Waterfox\\BlackHawk\\NETGATE\r\nTechnologies\\BlackHawk\\CyberFox\\8pecxstudios\\Cyberfox\\Path=([A-z0-\r\n9\\/\\.\\-]+)profiles.ini\\Default\\Profileorigin_urlusername_valuepassword_valuev10v11\\Local State\"encrypted_key\":\"\r\n(.*?)\"\\Default\\Login Data\\Login Data\\Google\\Chrome\\User Data\\loginsMajorMinor2F1A6504-0641-44CF-8BB5-\r\n3612D865F2E5Windows Secure Note3CCD5499-87A8-4B10-A215-608888DD3B55Windows Web Password\r\nCredential154E23D0-C644-4E6F-8CE6-5069272F999FWindows Credential Picker Protector4BF4C442-9B8A-41A0-B380-\r\nDD4A704DDB28Web Credentials77BC582B-F0A6-4E15-4E80-61736B6F3B29Windows CredentialsE69D7838-91B5-\r\n4FC9-89D5-230D4D4CC2BCWindows Domain Certificate Credential3E0E35BE-1B77-43E7-B873-\r\nAED901B6275BWindows Domain Password Credential3C886FF3-2669-4AA2-A8FB-3F6759A77548Windows Extended\r\nCredential00000000-0000-0000-0000-\r\n000000000000SchemaIdpResourceElementpIdentityElementpPackageSidpAuthenticatorElementIE/EdgeTypeValue\\Common\r\nFiles\\Apple\\Apple Application Support\\plutil.exe\\Apple Computer\\Preferences\\keychain.plist*Login\r\nDatajournalwow_logins\\Microsoft\\Edge\\User DataEdge\r\nChromium\\Microsoft\\Credentials\\\\Microsoft\\Protect\\GuidMasterKey\\Default\\EncryptedStorage\\EncryptedStorageentriescategoryPasswordstr3str2blob0P\r\n([A-z0-9\\/\\.]+)\"\\browsedata.dbautofillFalkon BrowserstartProfile=([A-z0-9\\/\\.]+)Backend=([A-z0-\r\n9\\/\\.-]+)\\settings.ini\\Claws-mail\\clawsrcpasskey0master_passphrase_salt=(.+)master_passphrase_pbkdf2_rounds=\r\n(.+)use_master_passphrase=(.+)\\accountrcsmtp_serveraddressaccount\\passwordstorerc{(.*),(.*)}\r\n(.*)ClawsMailTransformFinalBlockSubstringIterationCountsignons3.txt---\r\n.\r\nobjectsDataDecryptTripleDesFlock\r\nBrowserALLUSERSPROFILE\\\\DynDNS\\Updater\\config.dyndnsusername==password=\u0026Ht6KzXhChhttp://DynDns.comDynDNS\\Psi\\profiles\\Psi+\\prof\r\nGUI\\configsSoftware\\OpenVPN-GUI\\configs\\usernameauth-dataentropyOpen\r\nVPNUSERPROFILE\\OpenVPN\\config\\remote \\FileZilla\\recentservers.xml\u003cServer\u003e\u003cHost\u003e\u003c/Host\u003e:\u003cPort\u003e\u003c/Port\u003e\u003cUser\u003e\r\n\u003c/User\u003e\u003cPass encoding=\"base64\"\u003e\u003c/Pass\u003e\u003cPass\u003eFileZillaSOFTWARE\\\\Martin Prikryl\\\\WinSCP\r\n2\\\\SessionsHostNameUserNamePublicKeyFilePortNumber22[PRIVATE KEY LOCATION: \"{0}\"]WinSCPUsernameAll\r\nUsers\\FlashFXP\\3quick.datIP=port=user=pass=created=FlashFXP\\FTP Navigator\\Ftplist.txtServerNo PasswordUserFTP\r\nNavigatorProgramfiles(x86)programfiles\\jDownloader\\config\\database.scriptprogramfiles(x86)INSERT INTO CONFIG\r\nVALUES('AccountController','sq.txtJDownloaderSoftware\\PaltalkHKEY_CURRENT_USER\\Software\\Paltalk\\pwdPaltalk\\.purple\\accounts.xml\u003caccount\r\n\u003cprotocol\u003e\u003c/protocol\u003e\u003cname\u003e\u003c/name\u003e\u003cpassword\u003e\u003c/password\u003ePidgin\\SmartFTP\\Client 2.0\\Favorites\\Quick\r\nConnect\\\\SmartFTP\\Client 2.0\\Favorites\\Quick Connect\\*.xml\u003cPassword\u003e\u003c/Password\u003e\u003cName\u003e\r\n\u003c/Name\u003eSmartFTPappdata\\Ipswitch\\WS_FTP\\Sites\\ws_ftp.iniHOSTUIDPWDWS_FTPPWD=KeyModeIVPaddingCreateDecryptor\\cftp\\Ftplist.txt;Serve\r\n\u003cserver_ip\u003e\u003c/server_ip\u003e\u003cserver_port\u003e\u003c/server_port\u003e\u003cserver_user_name\u003e\u003c/server_user_name\u003e\u003cserver_user_password\u003e\r\n\u003c/server_user_password\u003eFTPGetterHKEY_LOCAL_MACHINE\\SOFTWARE\\Vitalwerks\\DUCHKEY_CURRENT_USER\\SOFTWARE\\Vitalwerks\\DU\r\nIP+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\\The\r\nBat!\\Account.CFNzzzTheBatHKEY_CURRENT_USER\\Software\\RimArts\\B2\\SettingsDataDirFolder.lst\\Mailbox.iniAccountSMTPServerMailAddressP\r\nNT\\CurrentVersion\\Windows Messaging\r\nSubsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676Software\\Microsoft\\Windows Messaging\r\nSubsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B\r\nPasswordPOP3 PasswordHTTP PasswordSMTP PasswordSMTP\r\nServerOutlookHKEY_CURRENT_USER\\Software\\Aerofox\\FoxmailPreviewExecutableHKEY_CURRENT_USER\\Software\\Aerofox\\Foxmail\\V3.1Fox\r\nFiles\\Foxmail\\mail\\\\VirtualStore\\Program Files\r\n(x86)\\Foxmail\\mail\\\\Accounts\\Account.rec0\\Account.stgReadDisposePOP3HostSMTPHostIncomingServerPOP3PasswordFoxmail5A71\\Opera\r\nMail\\Opera Mail\\wand.datopera:Opera Mailabcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^\u0026*()[{]}\\|';:,\u003c\u003e/?\r\n+=\r\n \\Pocomail\\accounts.iniPOPPassSMTPPassSMTPPocoMailRealVNC\r\n4.xSOFTWARE\\Wow6432Node\\RealVNC\\WinVNC4RealVNC\r\n3.xSOFTWARE\\RealVNC\\vncserverSOFTWARE\\RealVNC\\WinVNC4Software\\ORL\\WinVNC3TightVNCSoftware\\TightVNC\\ServerPasswordViewOn\r\nControlPasswordControlPasswordTigerVNCSoftware\\TigerVNC\\ServerTrimUltraVNCProgramFiles(x86)\\uvnc\r\nbvba\\UltraVNC\\ultravnc.inipasswdpasswd2ProgramFiles\\UltraVNC\\ultravnc.ini\r\n\\eM Client.dlleM Client\\accounts.dateM ClientAccountConfiguration72905C47-F4FD-4CF7-A489-\r\n4E8121A155BDhosto6806642kbM7c5\\Mailbird\\Store\\Store.dbServer_HostEncryptedPasswordMailbirdSenderIdentitiesNordVPNNordVPN\r\ndirectory not\r\nfound!NordVpn.exe*user.configSelectSingleNode//setting[@name='Username']/valueInnerText//setting[@name='Password']/value\\MySQL\\Workbench\\w\r\n MySQL Workbench%ProgramW6432%Private Internet Access\\data\\Private Internet\r\nAccess\\data\\account.json.*\"username\":\"(.*?)\".*\"password\":\"(.*?)\"Private Internet Access\u003carray\u003e\u003cdict\u003e\u003cstring\u003e\u003c/string\u003e\r\nhttps://menshaway.blogspot.com/2021/04/agenttesla-malware.html\r\nPage 8 of 9\n\n\u003cdata\u003e\u003c/data\u003eSafari Browser -convert xml1 -s -o \"\\fixed_keychain.xml\"\r\nA10B11C12D13E14F15ABCDEF(EndsWith)IndexOfUNIQUEtableSoftware\\DownloadManager\\Passwords\\EncPasswordInternet\r\nDownload Manager{0}http://127.0.0.1:HTTP/1.1 HostnamePort200 Connection established\r\nProxy-Agent: HToS5x\r\nConnect\r\nYou can try code at link below\r\nLink: https://dotnetfiddle.net/.\r\nIf you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware\r\nand some methods to analysis malwares.\r\nPlease don't forgot subscribe my channel Than you ♥  \r\nYouTube channel \r\nhttps://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA\r\nReferences\r\n1- https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.\r\n2- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/.\r\n3- https://www.deepinstinct.com/2020/07/02/agent-tesla-a-lesson-in-how-complexity-gets-you-under-the-radar/.\r\nSource: https://menshaway.blogspot.com/2021/04/agenttesla-malware.html\r\nhttps://menshaway.blogspot.com/2021/04/agenttesla-malware.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://menshaway.blogspot.com/2021/04/agenttesla-malware.html" ], "report_names": [ "agenttesla-malware.html" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434070, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f3d66970d8f21208054f0c03df0f65421c9c95db.pdf", "text": "https://archive.orkl.eu/f3d66970d8f21208054f0c03df0f65421c9c95db.txt", "img": "https://archive.orkl.eu/f3d66970d8f21208054f0c03df0f65421c9c95db.jpg" } }