The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques
Indicators of Compromise (IoC)

File Indicators
Indicator								Detection
00a41c8272d405ba85ae9d0e435e3030033e8a032f3d762367d0a57d41524f3a	Trojan.Win64.RAILLOAD.SMZALF-A
0d3ec88b0bfa5530e45dec75dfbea7ae683bdea91105b5f90a787beaabd1ef27	Trojan.Win64.RAILLOAD.SMZALF-A
0f6fe5d0ee754d581d4a8d989e83272b121d0125bd3c77e57a6b14db23f425ab	Trojan.Win64.RAILLOAD.A
13e0aef0ab6d218e68c5c5b6008872eb73104f161c902511aec3df5bce89136e	Trojan.Win64.RAILLOAD.SMZALF-A
16509adf92b1ac3097452affd8dda640936c8a40272592b978db3698487df5fa	Trojan.Win64.RAILLOAD.ZTLH
19bcca292814942f2fe8d142a679cc6a97fa6cbf77a0c98873146e918013bb5c	Trojan.Win64.RAILLOAD.ZBLK
1c8c14251710fbdef994d9ccf1d3507cf0ef5cd6c7d3495af2adfe7f97cc0dc2	Trojan.Win64.RAILSETTER.ZALH
1c93ba375016bcb41b915b78eb4ab023ecf456e240823a1d6d2b5297b3523956	Trojan.Win64.RAILLOAD.ZTLH
245fdb5e35b6f51b26d4cf3999a40dde13987240f9bf565fe03a1f6adb9da9b2	Backdoor.ASP.GODZILLA.ZCLI
281fc3aff361f202a41f4aff84a5f61e5728fd8ea0c1219a8bca540a959a4ee2	Trojan.Win64.RAILLOAD.ZBLK
28517bff286ade02b81da52f9fcddcb9764023ae7035bc593d081fdd2a8c85d9	Backdoor.Win64.VARGEIT.ZCLF.enc
2971a53769745c107a89eeb5f48e3b3e9680d371bf06b028c7769c961e6f9e55	Trojan.Win64.RAILLOAD.SMZALF-A
3129bfad321be526f231c64aac10d7d8f416dc14cab11c1bbc57252c75823959	Trojan.Win64.RAILLOAD.ZTLH
3b7c29489c1feaafc587eac0ffcca79964259c9687d86a5cce5ea70261f7439b	Trojan.Win64.RAILLOAD.ZBLF
3f0157cfb493df1cd051cc87364c7bdbe3719927335b76b7c567b369ab47b3be	Trojan.Win64.RAILLOAD.ZBLF
41410a8aa4a4fcd811ef67ba023e263f4cd6667039b01547d23a3eb758d97b96	Trojan.Win64.RAILLOAD.ZBLF
43e5c3d6182ab6d9d71b5892c5087b4ef4b3093126bcdf4ebcef0b15e04e0c03	Backdoor.Win64.VARGEIT.ZMLG.enc
442446fbc012847a12448398b619837614498bb611968e64166f0e9040c311db	Trojan.Win64.RAILLOAD.ZBLK
455510fe663775e09a2d0bbfdc4c8ec2e26665e10f9599b05dc59ea460f06ac8	Trojan.Win64.RAILLOAD.SMZALF-A
47ea0392ec123e3949b9ae2638b9078cd5efd4da942e38f149ccfb74d8e70123	Trojan.Win64.RAILLOAD.ZBLF
4be6f5e76ea02ae348b26fc32a0dabe009d05b701e53270cf40ca50fa76197b0	Backdoor.Win64.VARGEIT.ZCLF.embed
529e691a9d60b8ae0c64de82402e76c112df3bc27be5f2e94ee58252a67804a1	Trojan.Win64.RAILLOAD.ZBLF
52c8eacbcc8906036894a3a11cb4181d454c3a4f685500a799263cdcf6c6d88e	Trojan.Win64.RAILLOAD.SMZALF-A
5502735d81accb96c58300d1e21765b8b53a4749aad68e513b2558ed79f83cc4	Trojan.Win64.RAILLOAD.SMZALF-A
5518b542afd9d456ee8dea4dec3e0e8a98a42982b33f8f629d3d8edeca0dbf4d	Trojan.Win64.RAILLOAD.ZALG
55b4e3814a349c9de4c99237f62d42787a6fef64b809db9cf52cfe0602cac01e	Trojan.Win64.RAILLOAD.SMZALF-A
5872da9dfd5ed3c0b9e0a05466a56c6ac6966012b5b3e14ac43a1225ba5e6bb2	Trojan.Win64.RAILLOAD.ZALG
5aaca0994795ba7da0f10cd393ac32cc1e78c9afd4e9d09bbbe430f168c0eebe	Trojan.Win64.RAILLOAD.SMZALF-A
5c829480c4563f736c8f6a4a2987fc4cd3fc330804db82cd98217d0110531b6e	Trojan.Win64.RSBINJECT.ZBLI
5d358bcd0acb999fdec332f0a2d1fe51952542f0836b9618ab18f253597d244c	Trojan.Win64.RAILLOAD.SMZALF-A
5dcd5cb720a40692b7e49540a42f1d12e831aaab369d9fe31a66b0433b825264	Trojan.Win64.RAILLOAD.ZALG
62d71b61af750ad3b763d98504a174a1949a359a4cb4f6ce2795b7b3240919eb	Trojan.Win64.RAILLOAD.SMZALF-A
67dddc4ce777df1baa19acb1c3535eb01a54f24516a85312bafe4cba11d74483	Trojan.Win64.RAILLOAD.ZBLK
681e9aab60b1c64dacbc7c8574d294333b9cd4494ec683b0c780866c3e1e7d40	Trojan.Win64.RAILLOAD.ZBMB
762525805afe6a0891275ebc2ae1f067e9aad8f310afc0b1ad800cc980ed8b55	Trojan.Win64.RAILLOAD.SMZALF-A
7654e7f7076f07e76ae478c1df65f1711918ad4f36c45f520cc46cdcb1128cc2	Trojan.Win64.RAILLOAD.ZALG
7ad44f7e1f78ee83f20da498584ec7138c2514580ddfe62698be7587ae2678e1	Trojan.Win64.RAILLOAD.SMZALF-A
83968575244ab2e44a5b94423bb1cacd10bb293ddcbbddbc2fc117f9335b6e78	Trojan.Win64.RAILLOAD.ZCLH
846be29c140850fd9524339acd67eac4b84bc59ed056544356d199226452ea88	Trojan.Win64.RAILLOAD.A
85f9bac9eefb5fbc1e51508ce12cda10a69d8bde82952891081b19d6833297ab	Trojan.Win64.RAILLOAD.ZBLF
86e2d56761fb4dc16c7b0cd8da241c9899af851f5df751ffc67a2d68062e71f4	Trojan.Win64.RAILLOAD.ZTLH
86f5f088cf997766e52860b57506ba0923454a63bee39e4e3de2fb98c4fee240	Trojan.Win64.RAILLOAD.SMZALF-A
8b0023248bc037631b26694f34d7bc8163e2d5f5919fe61f3dbc1354f87d6792	Trojan.Win64.MASQLOADER.ZAKL
8c89362d4bed8bd2f0fbffc450bca4e7666fc7a3e88ec56a5dd149593fd697ec	Trojan.Win64.RAILLOAD.SMZALF-A
91034c01e800b116095eecdb073a5262852fc2c788f9fcd09259d6c09ce88ac6	Trojan.Win64.RAILLOAD.SMZALF-A
9366ece5ff9082145184adb2e91053d5e0d68d4d9f9a9f054aad68b8e7368443	Trojan.Win64.RAILLOAD.ZBLF
9b5e6c2f287ea7931bb27f63111ef0035265bc27751f01bd6c7f3dd3395bbaf5	Trojan.Win64.RAILLOAD.ZCLI
9d9f40c6c2dc14118452f7f1b56346e60a8681fb83300e4292576e635b37f9c8	Trojan.Win64.RAILLOAD.SMZALF-A
9f94bb59bfc32958a15cd8e225f270802bd9e14929e5d0f4f488842710a361ea	Trojan.Win64.RAILLOAD.SMZALF-A
a042157e7460f6c28c984a1c1f3803521a556c67e26411854e497685ef436325	Trojan.Win64.RAILLOAD.SMZALF-A
a14e226a50c12e637e8b280ad688e5637db752c72d0f8b2bac5f2d3d487e1c21	Backdoor.Win64.VARGEIT.ZALF.enc
a79679d8f9551810504ff316465fb289d1ac64dc52bcaabd70267217d33d603c	Trojan.Win64.RAILLOAD.ZCLI
a845cb84ea11f0fa7a982407705e892f58d7cb407eadc5329416464cccdd6a23	Trojan.Win64.RAILLOAD.SMZALF-A
a9804fa05845707f094fe91668a5c3792f2441d371816b46fbe636953fc5787d	Backdoor.Win64.VARGEIT.ZCLF.enc
ab6145f1ea6c8a682bea289cef06c0f27fa076b8f88a89a2631167541fc835e9	Trojan.Win64.RAILLOAD.SMZALF-A
ac70d98af57d9e3da9ee485a4ab1badbb28e89d15c4ef2df521423881a147e43	Trojan.Win64.RAILLOAD.SMZALF-A
afd83d598843f93f7cad02bbe8467da2f257b5344600090034bb795844f05bdc	Trojan.Win64.RAILLOAD.ZBLK
b0a42d1c5a07bbe317a034e204c0eb64ae5d99e3dfbfbd9b3b098caea4b19f96	Trojan.Win64.RAILLOAD.SMZALF-A
b32dd5d549bcf4b674b4e7cf5481064b38ea614c666b158afedc7084b715c1fa	Trojan.Win64.RAILLOAD.SMZALF-A
b8accaa144c035c670fb3c2bf580d2fb64ab562c89835f7e30b044a8711cb5e5	Trojan.Win64.RAILSETTER.ZCLH
b8e1a46146c09ef54b802a6989b485ef5982a86228a24ec0839ec5af7b42e648	Backdoor.Win64.VARGEIT.ZCLF.enc
b92452a6c2cd13193a6df88278c31c85008acf448655c18389c84b353026d15e	Trojan.Win64.RAILLOAD.ZCLI
b9fefe3946d0c9e000262a10b184090da45925f24b7dfc9d25abe63bc55ca7ed	Backdoor.Win64.VARGEIT.ZALF.enc
ba0105c8fa99b8f3a82c32d20e94031f22e277286b738db529e763955df248dc	Trojan.Win64.RAILLOAD.ZCLI
bd0dbf799e98137238ae38f134c7af82d7ff673c0a418044add0220211d98a27	Trojan.Win64.RAILLOAD.SMZALF-A
be01089ad2c2e7af32677ec0a7a9a541dee1cb149639d60fb7b7e9b641d2ccdb	Trojan.Win64.RAILLOAD.ZTLH
c0d1deb30fd3507455dae99aabf1cc23638b2bcf1908099e08081ee2691a24b0	Trojan.Win64.RAILLOAD.SMZALF-A
c56c88ce8e45a9caa043f1f4831442f09bae6f1a083910f772afc1e27be3b606	Trojan.Win64.RAILLOAD.SMZALF-A
c6a28c9cac9c4b5ef57998bdc7a7f430fff7c9ac819fef278f8350751b6edaab	Trojan.Win64.RAILLOAD.ZTLH
cd385806117ebe1504af4669671b4c0a252faec873e1402aaebeb413fdd58556	Trojan.Win64.RAILLOAD.ZBLK
d31eb16688d1b36652e87d43ad5755d139eedd74b500ddcee97a5545d8d1fe7b	Trojan.Win64.RAILLOAD.ZBLK
d34947e11879598b85d9baa703cb96a83d7c3ccb53868ab86ff9a2f37dc91459	Trojan.Win64.RAILLOAD.ZALF
d692c85da91bb5e5724f520ca392b68eee144a3719a7441c779c8ce73d3b25dc	Backdoor.Win64.VARGEIT.ZCLF.enc
d83a837910305567acfd49d2d416fc4b113f080e31730c9b0abefa4b01192a40	Trojan.Win64.RAILLOAD.ZALG
ded42e37f05950374496824ce3f4d540a45e97be35ed6d7ddcfcf12a7b2cd46f	Trojan.Win64.RAILLOAD.ZALG
dfbb857e6383789545c719c99d878a678a0aeae2a6a1c8f44e87b7aa478fc354	Trojan.Win64.RAILLOAD.ZALF
e03062caa13400df3d60efb1aa2b0f19dcf65fefc38d4bc9931c0918b5dc4865	Trojan.Win64.RAILLOAD.ZALG
e299b865cdb0fdd9605e3c5e9d00fb473c77af4ed213775d594cc0fe91b8dd3a	Trojan.Win64.RAILLOAD.SMZALF-A
e3465c996e149b218d95a4b109e6e3ff268e8d63aafa73d4855750b33c66a33c	Trojan.Win64.RAILLOAD.ZBMB
e6141757775ce9747b12f21cc7f8411e5ab4916649f38738f4e93b2ca7cc274a	Trojan.Win64.RAILLOAD.ZBLK
ee8385313e03890c6862f70c94f2c5a3e9cd09764fcac4488fabc5ce9613228a	Trojan.Win64.RAILLOAD.ZBLF
f0cd90b42969706d1a78e75608aded6d5ac8610f36cab8f8be7160c5cbf485a5	Trojan.Win64.RAILLOAD.ZCLI
f92493bf2b46873feee38ea2dac69ff830637983d569b64ee87e75f7fe08de88	Trojan.Win64.RAILLOAD.ZBLK
fd1720b11ddd7ae226889deca9a6532df676a4991f0209c0a3d6d7be52276dcf	Trojan.Win64.RAILLOAD.ZALG
fd3637392404c3ed169a4999f6a05274715109f9fa028be9ad9ce7853d983d54	Trojan.Win64.RAILLOAD.SMZALF-A

Network Indicators

Domain			www.upload-microsoft.com		COBEACON C&C
Domain			store.azure-clouds.com			COBEACON C&C
Domain			google.otp.us.kg			COBEACON C&C
IP			8.218.222.216				Download IP