"ID","Threat","Hash","Vhash","Time","Signature","Commentary" "0","APT19","ed4043b9a410016fb57c57cefb8bda4eeef1b222194fd68eb17650e353a4eea4","125066655d155555129z87fz39za00176z1","2017-05-22 21:21:47","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 81 c3 1c 60 01 00 ff d3 48 89 c3 49 89 f8 68 04 00 00 00 5a ff d0 41 b8 f0 b5 a2 56 68 05 00 00 00 5a ff d3 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Variant use EICAR string as fake alert + ReflectiveLoader" "0","APT19","88c7058e0190a72f01c3371b8b893d7b08d25fa6c35521c0440d959be4e0d574","125066655d155555129z87fz39za00176z1","2017-05-22 21:21:47","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 81 c3 1c 60 01 00 ff d3 48 89 c3 49 89 f8 68 04 00 00 00 5a ff d0 41 b8 f0 b5 a2 56 68 05 00 00 00 5a ff d3 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader" "1","APT19","399a07f32a3d29c3feac66fe71fc6694d456f8de4894f92743f4e9031500b9e9","125066655d155555129z76fz39za00176z1","2016-07-28 20:17:37","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 81 c3 40 4a 01 00 ff d3 48 89 c3 49 89 f8 68 04 00 00 00 5a ff d0 41 b8 f0 b5 a2 56 68 05 00 00 00 5a ff d3 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader" "2","APT19","f286f5e10d39dbbfec1aa1667912d63d31f88f787f9a1cb7a87b9e88fdb1209a","125056655d15551.z1","2016-11-11 04:08:32","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 3c 6e 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f0 00 00 00 5c 55 0c 75 63 ef 98 0b 7f c4 5c","Variant pivot, ordinal way -> execute" "3","APT19","d6dc1b71a7358107087235a29eff5a195f52d1f482f017135024227fe7278bb1","125056655d15551258z88fz39za00176z1","2018-09-05 21:54:00","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 40 64 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader" "4","APT19","cfc7b6a8ad0959f4ea3f6b6f09492ea93961938008b61279567f1bddf1a7bc06","125056655d15551158z8drza00166z1","2020-06-23 19:21:26","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 d8 5f 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Different formating and technics, code reuse, use the stackfor the strings" "5","APT19","2f8e39e97dfd31bb434618acab9be13ca142f8ed5d84b6b1eec2ad51e0708d52","125056655d1555129z8frza00166z1","2019-12-05 12:01:49","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader" "5","APT19","f625ac3b2c790e92810a05823a5ea8ce4c9741278a377c3f7e69b65a33affa04","125056655d1555129z8frza00166z1","2019-12-05 12:01:49","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader" "5","APT19","d03f975148e13019971f60857322ce49b923ae0cabd477cd282b97fdf3f906a3","125056655d1555129z8frza00166z1","2019-12-05 12:01:49","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader" "5","APT19","5f133e7b1c41a09fe9c41f841b2a4bdbc9046c21c731391811cbfbc7508cc28a","125056655d1555129z8frza00166z1","2019-12-05 12:01:49","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader" "5","APT19","d352c4b9852fb132913f526cd9ae8d68291b288a30a3c5dfe810a1ea9ae851b1","125056655d1555129z8frza00166z1","2019-12-05 12:01:49","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching to rule -> https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt19.yar -> Reflectiveloader" "5","APT19","275026846522fe61c312b0a739f4d1272eb99d8b66f55a5083e30f22aeb0217f","135056655d15151""z","2019-12-05 12:01:49","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Evasive method on the calls of API" "5","APT19","23dceade2359f8b2575ebd8ed0039e31c80d6961b309eeb6fe5562b00beea8ce","135056655d15151""z","2019-12-05 12:01:49","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Evasive method on the calls of API" "5","APT19","c0e7dacc3f1aef4b11c99cbdebd368abefb4dc901137fabcdfee238048cd5401","135056655d15151""z","2019-12-05 12:01:49","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Evasive method on the calls of API" "5","APT19","8639245501bc7aa29bd32fb4640eb29234191be4d91ea679fb64cc00ebb13d2e","135056655d15151""z","2019-12-05 12:01:49","4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 f4 63 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Evasive method on the calls of API" "6","Chimera","f7d8e3458210963963742f5c66527ed3a9e465e2410a3343fe5487a934e85d44","125056651d15555143z32z717z1dz31z900157z","2020-08-01 03:10:57","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Variant using localhost" "6","Chimera","8a343368941ce2c500224256a96aec952b00786b2500746ac184553d99b9f912","125056651d15555143z32z717z1dz31z900157z","2020-09-04 19:37:33","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Pivoting on external IP" "6","Chimera","fbe327350c11038f64cec12eb7343ac2dcfcc66ced70a8216f9f8053479edbb3","125056651d15555143z32z717z1dz31z900157z","2020-08-01 03:10:57","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching with rule -> Internal IP" "6","Chimera","57557d0f6a3989d9676e92607b6d6f700930c26f41f12d47bee79c5df0913334","125056651d15555143z32z717z1dz31z900157z","2020-09-04 19:37:33","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Pivot implant" "6","Chimera","4644e922a0a46e560f1115b8078ee6978568d2d838645b84293cdb6f8c797fff","125056651d15555143z32z717z1dz31z900157z","2020-09-04 19:37:33","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching with rule -> Internal IP" "6","Chimera","da0d8dc8a3c034275d3a98471009dc65fc54afda5fc4f36a778c060e4113c429","125056651d15555143z32z717z1dz31z900157z","2020-09-04 19:37:33","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching with rule -> Internal IP" "6","Chimera","cc02448dbfe5290451ff2f7f13f96b96590d31774c3c72e6b2e236e7755dbd31","125056651d15555143z32z717z1dz31z900157z","2020-08-01 03:10:57","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching with rule -> Internal IP" "6","Chimera","801cac0879575ea2cf5dafd72d1676836c3ac8bc4264635c4461c3ee90a79297","125056651d15555143z32z717z1dz31z900157z","2020-08-01 03:10:57","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Pivoting on external Domain" "6","Chimera","c50a67746b3b10a5961f1dfbd1acccd52f0a9ff049fb47edf6e973c8f90bc185","125056651d15555143z32z717z1dz31z900157z","2020-08-01 03:10:57","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 23 5b 00 00 ff d3 48 81 c3 c8 ae 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching with rule but different header" "7","Chimera","b9e9a707e3449e55d78a2b8b90b5fd2f83b99119bef9d4bb2c3537b8d7ec178c","125056655d1515|z","2018-09-27 23:00:20","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b3 18 00 00 ff d3 48 81 c3 38 09 03 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Internal Pivot" "7","Chimera","02a8ad2110256bbd1f08ba9e2de7a38c93a59a7dc131136e5aff1a35cb17eb71","125056655d1515|z","2018-09-27 23:00:20","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b3 18 00 00 ff d3 48 81 c3 38 09 03 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Internal Pivot" "7","Chimera","6e09590db5e55a763fd74087e1e582770cd0616f098ca083a25d49c62e533ce5","125056655d1515|z","2018-09-27 23:00:20","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b3 18 00 00 ff d3 48 81 c3 38 09 03 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Internal Pivot" "8","Chimera","3d842f42a7caa4e088a4c7a28ef866a9ac1e0f75be929beed99cc73838ad8507","125056651d15555143z42z78z1dz31z900156z1","2020-06-27 02:27:29","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching with rule -> Internal IP" "8","Chimera","b2ebbcd9700e0ac2e0b54e3599f95f389a6c206c2c1236287de48757c89b8f80","125056651d15555143z42z78z1dz31z900156z1","2020-06-27 02:27:29","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching with rule -> Internal IP" "8","Chimera","10b5ede60b9c5d7857a4462c4c3fd531b1793a37bd366f9cb6cb675289858aab","125056651d15555143z42z78z1dz31z900156z1","2020-06-27 02:27:29","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching with rule -> Internal IP" "8","Chimera","f9cebbde1d4c61fdce981c73d24274dbe3f2707f6f42f76fcabe689ebcb1965d","125056651d15555143z42z78z1dz31z900156z1","2020-06-27 02:27:29","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching with rule -> Internal IP" "8","Chimera","e8b94f00131ffad10638c7f3e323ae501e2164b101f9544eb91678ffcf8eb6b9","125056651d15555143z42z78z1dz31z900156z1","2020-06-27 02:27:29","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching with rule -> Internal IP" "8","Chimera","e00f032ddecf958b9ed4fbdd9ca52f44ed7b25a260ab08e842f8d4f174f8c344","125056651d15555143z42z78z1dz31z900156z1","2020-06-27 02:27:29","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching with rule -> Internal IP" "8","Chimera","76e6b9102e44d048fcdcb4e567cdd50754fd3e952f76a5c1b4cfcec8ccbe129b","125056651d15555143z42z78z1dz31z900156z1","2020-06-27 02:27:29","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching with rule -> Internal IP" "8","Chimera","222a38b7a34bf52dea4bcd6b39d30a25b8b2485a684c42f702d237f2e09bfb29","125056651d15555143z42z78z1dz31z900156z1","2020-06-27 02:27:29","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 b7 57 00 00 ff d3 48 81 c3 34 b6 02 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","Same PE + junk code at the end ?" "9","Chimera","f6d89ff139f4169e8a67332a0fd55b6c9beda0b619b1332ddc07d9a860558bab","125056655d15555153z42z737z1dz31z900185z51","2020-04-17 23:08:28","4d 5a 41 52 55 48 89 e5 48 83 ec 20 48 83 e4 f0 e8 00 00 00 00 5b 48 81 c3 eb 18 00 00 ff d3 48 81 c3 00 09 03 00 49 89 d8 6a 04 5a ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01","matching with rule -> Internal IP"