"x_misp_value":"FireEye recently looked deeper into the activity discussed in TrendMicro\u00e2\u20ac\u2122s blog and dubbed the \u00e2\u20ac\u0153Siesta\u00e2\u20ac\u009d campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1.\r\n\r\nThe Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature."
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"pattern":"[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '184.82.164.104']",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to):",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"pattern":"[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '69.90.65.240']",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 6f3d15cf788e28ca504a6370c4ff6a1e",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 6f3d15cf788e28ca504a6370c4ff6a1e",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 6a3b8d24c125f3a3c7cff526e63297f3",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 6a3b8d24c125f3a3c7cff526e63297f3",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 001b8f696b6576798517168cd0a0fb44",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 001b8f696b6576798517168cd0a0fb44",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 21567cce2c26e7543b977a205845ba77",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 21567cce2c26e7543b977a205845ba77",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 392f15c431c00f049bb1282847d8967f",
"description":"This same PE resource was also used in a number of other samples deployed by the \u00e2\u20ac\u0153Menupass\u00e2\u20ac\u009d group, which we have detailed in our Poison Ivy report. Previous Menupass samples with this same PE resource include - Xchecked via VT: 392f15c431c00f049bb1282847d8967f",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 894ef915af830f38499d498342fdd8db",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 894ef915af830f38499d498342fdd8db",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b0a95c47d170baad8a5594e0f755e0c1",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b0a95c47d170baad8a5594e0f755e0c1",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b19ef1134f54b4021f99cc45ae1bc270",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b19ef1134f54b4021f99cc45ae1bc270",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: d0a7cd5cd7da9024fb8bd594d37d7594",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: d0a7cd5cd7da9024fb8bd594d37d7594",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: d6c19be4e9e1ae347ee269d15cb96a51",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: d6c19be4e9e1ae347ee269d15cb96a51",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b92a53fc409d175c768581978f1d3331",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b92a53fc409d175c768581978f1d3331",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b584b48d401e98f404584c330489895c",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: b584b48d401e98f404584c330489895c",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 9c4617793984c4b08d75b00f1562cbda",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 9c4617793984c4b08d75b00f1562cbda",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 8ee2cf05746bb0a009981fdb90f1343e",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 8ee2cf05746bb0a009981fdb90f1343e",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 1aab2040ed4f918e1823e2caf645a81d",
"description":"Both 61249bf64fa270931570b8a5eba06afa and 0f3031412d255336a102bbc1dcd43812 droppers also had a portable executable (PE) resource with the SHA256 of fb080cef60846528c409f60400f334100a16a5bd77b953c864b23a945fcf26fd. This PE resource contained the PDF icon used by the dropper to make the executable appear as though it was a PDF document rather than an executable. Previous APT1 samples also used this sample PE resource including - Xchecked via VT: 1aab2040ed4f918e1823e2caf645a81d",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: fdf6bf1973af8ab130fbcaa0914b4b06",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: fdf6bf1973af8ab130fbcaa0914b4b06",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: 513644c57688b70860d0b9aa1b6cd0d7",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: 513644c57688b70860d0b9aa1b6cd0d7",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: 173cd315008897e56fa812f2b2843f83",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: 173cd315008897e56fa812f2b2843f83",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: ac87816b9a371e72512d8fd82f61c737",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: ac87816b9a371e72512d8fd82f61c737",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: 736ebc9b8ece410aaf4e8b60615f065f",
"description":"This custom alphabet was used by the malware to decode commands issued by the attacker to the victim machine and to Base64 encode the reverse shell from the victims back to the CnC server.This same custom alphabet has been used in previous APT1 samples including - Xchecked via VT: 736ebc9b8ece410aaf4e8b60615f065f",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: e5a4ec0519c471b5be093aee5c33b1ee",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: e5a4ec0519c471b5be093aee5c33b1ee",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 57a4c6236b4ecf96d31258e5cc6f0ae4",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 57a4c6236b4ecf96d31258e5cc6f0ae4",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 287113e4423813efd242af8e6255f680",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 287113e4423813efd242af8e6255f680",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 1df0b937239473df0187063392dae028",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 1df0b937239473df0187063392dae028",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: c2aadd6a69a775602d984af64eaeda96",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: c2aadd6a69a775602d984af64eaeda96",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 93a6e9a26924a5cdab8ed47cadbe88d5",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 93a6e9a26924a5cdab8ed47cadbe88d5",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 719453b4da6d3814604c84a28d4d1f4c",
"description":"The import hash from this dropper was also seen in a number of previous APT1 samples dating as far back as 2011 \u00e2\u20ac\u201d well before the release of the APT1 report. We previously discussed the value of tracking via import hashing here. Other APT1 samples with this same import hash include (but are not limited to): - Xchecked via VT: 719453b4da6d3814604c84a28d4d1f4c",
"description":"The import hash of 0fefba40443edd57f816502035077e3e is in other samples linked to the Siesta campaign - Xchecked via VT: 643654975b63a9bb6f597502e5cd8f49",
"description":"The import hash of 0fefba40443edd57f816502035077e3e is in other samples linked to the Siesta campaign - Xchecked via VT: 643654975b63a9bb6f597502e5cd8f49",