{ "id": "7e1caada-ee86-415c-ab75-fe0322466708", "created_at": "2026-04-06T00:11:50.932341Z", "updated_at": "2026-04-10T03:38:20.019892Z", "deleted_at": null, "sha1_hash": "1e1c9aceb38a1cee80f83416bdf2279aefbf1c9f", "title": "MAR-10135536-3 - HIDDEN COBRA RAT/Worm | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 95342, "plain_text": "MAR-10135536-3 - HIDDEN COBRA RAT/Worm | CISA\r\nPublished: 2018-05-31 · Archived: 2026-04-05 13:48:04 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial\r\nproduct or service, referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol, see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis submission includes four unique files. The first is an installer for additional malware: a Remote Access Trojan (RAT)\r\nand a malicious Dynamic Link Library (DLL) that functions as a Server Message Block (SMB) Worm. The fourth file is\r\nanother SMB worm in the form of a Windows 32-bit executable.\r\nBoth SMB worms attempt to spread locally and to random IP addresses on the public Internet by attempting to brute force\r\nvulnerable systems using a built-in list of common passwords. The RAT included with the SMB worm provides the attacker\r\nwith the ability to deliver additional malware, run local commands, and exfiltrate data.\r\nAs of May 31, 2018, this report has been updated to correct the email addresses used by Wmmvsvc.dll\r\n(ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781).\r\nFor a downloadable copy of IOCs, see:\r\nMAR-10135536-3.stix\r\nEmails (2)\r\nmisswang8107@gmail.com\r\nredhat@gmail.com\r\nSubmitted Files (4)\r\n077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885 (4731CBAEE7ACA37B596E38690160A7...)\r\na1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717 (scardprv.dll)\r\nea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781 (Wmmvsvc.dll)\r\nfe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16 (298775B04A166FF4B8FBD3609E7169...)\r\nFindings\r\n077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885\r\nTags\r\nbackdoortrojanworm\r\nDetails\r\nName 4731CBAEE7ACA37B596E38690160A749\r\nSize 208896 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 4731cbaee7aca37b596e38690160a749\r\nSHA1 80fac6361184a3e24b33f6acb8688a6b7276b0f2\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 1 of 15\n\nSHA256 077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885\r\nSHA512 9fdc1bf087d3e2fa80ff4ed749b11a2b3f863bed7a59850f6330fc1467c38eed052eee0337d2f82f9fe8e145f68199b966ae3c08f7ad1475b665beb\r\nssdeep 6144:M6atGpHk4NdSksOBbNUyb4ajb1TWiYW9ebYwtJEGLYMYR4:Msdk4NdSksOv\r\nEntropy 7.731026\r\nAntivirus\r\nAVG BackDoor.Generic14.ARHX\r\nAhnlab Trojan/Win32.Npkon\r\nAvira BDS/Joanap.A.11\r\nBitDefender Gen:Variant.Barys.57573\r\nClamAV Win.Trojan.Agent-1388737\r\nCyren W32/Zegost.AA.gen!Eldorado\r\nESET Win32/Scadprv.A trojan\r\nEmsisoft Gen:Variant.Barys.57573 (B)\r\nF-secure Gen:Variant.Barys.57573\r\nFilseclab Worm.Agent.age.ebwv\r\nIkarus Worm.Win32.Agent\r\nK7 Backdoor ( 04c4b9d11 )\r\nMcAfee W32/FunCash!worm\r\nMicrosoft Security Essentials Backdoor:Win32/Joanap.J!dha\r\nNANOAV Trojan.Win32.Agent.crilzb\r\nQuick Heal Backdoor.Joanap\r\nSophos Mal/EncPk-AGS\r\nSymantec Trojan.Gen.2\r\nSystweak trojan.agent\r\nTrendMicro BKDR_JOANAP.AC\r\nTrendMicro House Call BKDR_JOANAP.AC\r\nVir.IT eXplorer Backdoor.Win32.Generic.ARHX\r\nVirusBlokAda Worm.Agent\r\nZillya! Worm.Agent.Win32.3373\r\nnProtect Worm/W32.Agent.208896.AK\r\nYara Rules\r\nhidden_cobra_consolidated.yara rule Enfal_Generic { meta: author = \"NCCIC trusted 3rd party\" incident = \"10135536\" date =\r\n\"2018-04-12\" category = \"hidden_cobra\" family = \"BRAMBUL,JOANAP\" MD5_1 =\r\n\"483B95B1498B615A1481345270BFF87D\" MD5_2 =\r\n\"4731CBAEE7ACA37B596E38690160A749\" MD5_3 =\r\n\"CD60FD107BAACCAFA6C24C1478C345C8\" MD5_4 =\r\n\"298775B04A166FF4B8FBD3609E716945\" Info = \"Detects Hidden Cobra SMB Worm / RAT\"\r\nstrings: $s0 = {6D737373636172647072762E6178} $s1 =\r\n{6E3472626872697138393076393D3032333D30312A2628542D30513332354A314E3B4C4B}\r\n$s2 = {72656468617440676D61696C2E636F6D} $s3 =\r\n{6D69737377616E673831303740676D61696C2E636F6D} $s4 =\r\n{534232755365435632564474} $s5 = {794159334D6559704275415756426341} $s6 =\r\n{705641325941774242347A41346167664B6232614F7A4259} $s7 =\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 2 of 15\n\n{AE8591916D586DE4F6FB8EE2F0BBF1F9} $s8 =\r\n{F96D5DD36D6D9A87DD6D506D6D6D516D} $s9 =\r\n{43616E6E6F74206372656174652072656D6F74652066696C652E} $s10 =\r\n{43616E6E6F74206F70656E2072656D6F74652066696C65} $s11 =\r\n{663D547D75128D85FCFEFFFF5056} $s12 =\r\n{663D547D75128D85FCFEFFFF5056E88C060000E9A9000000663D557D7512} $s13 =\r\n{663D567D750F8D85FCFEFFFF5056E891070000EB7C663D577D} $s14 =\r\n{3141327A3342347935433678374438773945307624465F754774487349724A71} $s15 =\r\n{393032356A6864686F333965686532} condition: ($s0) or ($s1) or ($s2) or ($s3) or ($s4 and\r\n$s5 and $s6) or ($s7 and $s8) or ($s9 and $s10 and $s11) or ($s12 and $s13) or ($s14 and $s15)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2011-09-14 01:53:24-04:00\r\nImport Hash e8cd12071a8e823ebc434c8ee3e23203\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nbf69e0e64bdafa28b31e3c2134e1d696 header 4096 0.658046\r\n27f1df91dc992ababc89460f771a6026 .text 24576 6.227301\r\n249e10a4ad0a58c3db84eb2f69db5db5 .rdata 4096 4.367702\r\n88b5582d4d361c92e9234abf0942ed9e .data 4096 2.546586\r\na18b7869b3bfd4a2ef0d03c96fa09221 .rsrc 172032 7.969250\r\nPackers/Compilers/Cryptors\r\nProcess List\r\nProcess PID PPID\r\n077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885.exe 2628 (2588)\r\nRelationships\r\n077d9e0e12... Dropped a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717\r\n077d9e0e12... Dropped ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781\r\nDescription\r\nThis 32-bit Windows executable file drops two malicious applications.\r\nThe first (a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717) is a fully functioning RAT.\r\nThe second application (ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781) is a SMB worm that\r\nwill spread to local subnets and external networks.\r\na1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717\r\nTags\r\nbackdoorbottrojanworm\r\nDetails\r\nName scardprv.dll\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 3 of 15\n\nSize 77824 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 4613f51087f01715bf9132c704aea2c2\r\nSHA1 6b1ddf0e63e04146d68cd33b0e18e668b29035c4\r\nSHA256 a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717\r\nSHA512 37fa5336d1554557250e4a3bcb4ccfca79f4873264cb161dee340d35a2f8f17f7853fe942809bb343ac1eae0a37122b5e8fd703a9b820ec96abb6\r\nssdeep 768:qtT2AxNtcgpqLepcy2y6/chYdP8KuSFM+Cs5CBaho9S4AJKqBz8MZdVsrQVBnVGa:qwONtBqL1dDMrs5CN9S4A3HOYBnVL\r\nEntropy 6.138177\r\nAntivirus\r\nAVG Agent3.BAPF\r\nAhnlab Trojan/Win32.Dllbot\r\nAvira TR/Gendal.6762100\r\nBitDefender Gen:Variant.Graftor.Elzob.3935\r\nClamAV Win.Trojan.Agent-1388765\r\nESET a variant of Win32/Scadprv.A trojan\r\nEmsisoft Gen:Variant.Graftor.Elzob.3935 (B)\r\nF-secure Gen:Variant.Graftor.Elzob.3935\r\nFilseclab Worm.Agent.ago.thfj.dll\r\nIkarus Worm.Win32.Agent\r\nK7 Trojan ( 0001659c1 )\r\nMcAfee W32/FunCash!worm\r\nMicrosoft Security Essentials Backdoor:Win32/Joanap.B!dha\r\nNANOAV Trojan.Win32.Agent.cwccco\r\nQuick Heal Backdoor.Duzzer.A5\r\nSophos Mal/Generic-L\r\nSymantec Backdoor.Joanap\r\nSystweak malware.gen-20120501\r\nTrendMicro BKDR_JOANAP.AC\r\nTrendMicro House Call BKDR_JOANAP.AC\r\nVir.IT eXplorer Trojan.Win32.Agent3.BAPF\r\nVirusBlokAda Worm.Agent\r\nZillya! Worm.Agent.Win32.5702\r\nnProtect Worm/W32.Agent.77824.CJ\r\nYara Rules\r\nhidden_cobra_consolidated.yara rule Enfal_Generic { meta: author = \"NCCIC trusted 3rd party\" incident = \"10135536\" date =\r\n\"2018-04-12\" category = \"hidden_cobra\" family = \"BRAMBUL,JOANAP\" MD5_1 =\r\n\"483B95B1498B615A1481345270BFF87D\" MD5_2 =\r\n\"4731CBAEE7ACA37B596E38690160A749\" MD5_3 =\r\n\"CD60FD107BAACCAFA6C24C1478C345C8\" MD5_4 =\r\n\"298775B04A166FF4B8FBD3609E716945\" Info = \"Detects Hidden Cobra SMB Worm / RAT\"\r\nstrings: $s0 = {6D737373636172647072762E6178} $s1 =\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 4 of 15\n\n{6E3472626872697138393076393D3032333D30312A2628542D30513332354A314E3B4C4B}\r\n$s2 = {72656468617440676D61696C2E636F6D} $s3 =\r\n{6D69737377616E673831303740676D61696C2E636F6D} $s4 =\r\n{534232755365435632564474} $s5 = {794159334D6559704275415756426341} $s6 =\r\n{705641325941774242347A41346167664B6232614F7A4259} $s7 =\r\n{AE8591916D586DE4F6FB8EE2F0BBF1F9} $s8 =\r\n{F96D5DD36D6D9A87DD6D506D6D6D516D} $s9 =\r\n{43616E6E6F74206372656174652072656D6F74652066696C652E} $s10 =\r\n{43616E6E6F74206F70656E2072656D6F74652066696C65} $s11 =\r\n{663D547D75128D85FCFEFFFF5056} $s12 =\r\n{663D547D75128D85FCFEFFFF5056E88C060000E9A9000000663D557D7512} $s13 =\r\n{663D567D750F8D85FCFEFFFF5056E891070000EB7C663D577D} $s14 =\r\n{3141327A3342347935433678374438773945307624465F754774487349724A71} $s15 =\r\n{393032356A6864686F333965686532} condition: ($s0) or ($s1) or ($s2) or ($s3) or ($s4 and\r\n$s5 and $s6) or ($s7 and $s8) or ($s9 and $s10 and $s11) or ($s12 and $s13) or ($s14 and $s15)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2011-09-14 01:38:38-04:00\r\nImport Hash f6f7b2e00921129d18061822197111cd\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nc745765d5ae0458d76c721b8a82eca52 header 4096 0.763991\r\nf16ff24a6d95e0e0711eccae4283bbe5 .text 40960 6.506011\r\nb89bb8a288d739a27d7021183336413c .rdata 20480 6.655349\r\nfcd7ede94211c9d653bd8cc776feb8be .data 4096 4.326483\r\n56dc69f697f36158eefefdde895f39b6 .rsrc 4096 0.613739\r\n20601cf5d6aecb9837dcc1747847c5a2 .reloc 4096 4.068756\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 6.0 DLL\r\nRelationships\r\na1c483b0ee... Dropped_By 077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885\r\nDescription\r\nThis 32-bit Windows DLL is written to disk and then loaded by the file \"4731CBAEE7ACA37B596E38690160A749\".\r\nThis malware has been identified as a RAT, providing a remote actor with the ability to exfiltrate data, drop and run\r\nsecondary payloads, and provide proxy capabilities on a compromised Windows device. The malware binds to port 443 and\r\nlistens for incoming connections from a remote operator, using the Rivest Cipher 4 (RC4) encryption algorithm to protect\r\ncommunications with its Command and Control (C2).\r\nThe malware also creates a log entry in a file named “mssscardprv.ax”, located in the %WINDIR%\\system32 folder. The log\r\nentry includes the victim's Internet Protocol (IP) address, host name, and current system time.\r\nea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781\r\nTags\r\nbackdoorbottrojanworm\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 5 of 15\n\nDetails\r\nName Wmmvsvc.dll\r\nSize 91664 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 e86c2f4fc88918246bf697b6a404c3ea\r\nSHA1 9b7609349a4b9128b9db8f11ac1c77728258862c\r\nSHA256 ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781\r\nSHA512 f6097c66a526ba7a3c918b1c7fccae03c812046d642a4adb62ee7a24cbcee889c0348020ae7e2e82ee3f284b311f049ed596edb22b90153cadc11\r\nssdeep 768:9eY/pEwKWcwP/bY4XxlGLup3Tq1LpDLJkDcw3f9zj:MitnU4viJJDw3Z\r\nEntropy 3.156854\r\nAntivirus\r\nAVG PSW.Generic9.ACQQ\r\nAhnlab Trojan/Win32.Dllbot\r\nAvira BDS/Joanap.A.8\r\nBitDefender Gen:Variant.Symmi.49274\r\nClamAV Win.Trojan.Agent-1388727\r\nCyren W32/Trojan.WXKV-0327\r\nESET a variant of Win32/Agent.NJF worm\r\nEmsisoft Gen:Variant.Symmi.49274 (B)\r\nF-secure Gen:Variant.Symmi.49274\r\nFilseclab Trojan.Agent.NJF.cuzy.dll\r\nIkarus Worm.Win32.Agent\r\nK7 Trojan ( 00515bda1 )\r\nMcAfee Generic PWS.tr\r\nMicrosoft Security Essentials Backdoor:Win32/Joanap.A!dha\r\nNANOAV Trojan.Win32.Agent.cqilax\r\nNetGate Trojan.Win32.Malware\r\nQuick Heal Backdoor.Joanap\r\nSophos Mal/Generic-L\r\nSymantec W32.Brambul\r\nVir.IT eXplorer Trojan.Win32.Generic.ACQQ\r\nVirusBlokAda Worm.Agent\r\nZillya! Worm.Agent.Win32.3549\r\nnProtect Worm/W32.Agent.91664\r\nYara Rules\r\nhidden_cobra_consolidated.yara rule Enfal_Generic { meta: author = \"NCCIC trusted 3rd party\" incident = \"10135536\" date =\r\n\"2018-04-12\" category = \"hidden_cobra\" family = \"BRAMBUL,JOANAP\" MD5_1 =\r\n\"483B95B1498B615A1481345270BFF87D\" MD5_2 =\r\n\"4731CBAEE7ACA37B596E38690160A749\" MD5_3 =\r\n\"CD60FD107BAACCAFA6C24C1478C345C8\" MD5_4 =\r\n\"298775B04A166FF4B8FBD3609E716945\" Info = \"Detects Hidden Cobra SMB Worm / RAT\"\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 6 of 15\n\nstrings: $s0 = {6D737373636172647072762E6178} $s1 =\r\n{6E3472626872697138393076393D3032333D30312A2628542D30513332354A314E3B4C4B}\r\n$s2 = {72656468617440676D61696C2E636F6D} $s3 =\r\n{6D69737377616E673831303740676D61696C2E636F6D} $s4 =\r\n{534232755365435632564474} $s5 = {794159334D6559704275415756426341} $s6 =\r\n{705641325941774242347A41346167664B6232614F7A4259} $s7 =\r\n{AE8591916D586DE4F6FB8EE2F0BBF1F9} $s8 =\r\n{F96D5DD36D6D9A87DD6D506D6D6D516D} $s9 =\r\n{43616E6E6F74206372656174652072656D6F74652066696C652E} $s10 =\r\n{43616E6E6F74206F70656E2072656D6F74652066696C65} $s11 =\r\n{663D547D75128D85FCFEFFFF5056} $s12 =\r\n{663D547D75128D85FCFEFFFF5056E88C060000E9A9000000663D557D7512} $s13 =\r\n{663D567D750F8D85FCFEFFFF5056E891070000EB7C663D577D} $s14 =\r\n{3141327A3342347935433678374438773945307624465F754774487349724A71} $s15 =\r\n{393032356A6864686F333965686532} condition: ($s0) or ($s1) or ($s2) or ($s3) or ($s4 and\r\n$s5 and $s6) or ($s7 and $s8) or ($s9 and $s10 and $s11) or ($s12 and $s13) or ($s14 and $s15)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2011-09-14 11:42:30-04:00\r\nImport Hash f0087d7b90876a2769f2229c6789fcf3\r\nCompany Name Microsoft Corporation\r\nFile Description Microsoft XML Encoder/Transcoder\r\nInternal Name xpsshrm.dll\r\nLegal Copyright © Microsoft Corporation. All rights reserved.\r\nOriginal Filename xpsshrm.dll\r\nProduct Name Microsoft® Windows Media Services\r\nProduct Version 9.00.00.4503\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n037e97300efd533dd48d334d30bdc408 header 4096 0.759334\r\n4b5019185bb0b82273442dae3f15f105 .text 24576 6.083997\r\n9e5a1cfda72f8944cd5e35e33a2a73b0 .rdata 4096 3.267725\r\n47982ac1b20cac03adcfd62f5881b79c .data 49152 1.087883\r\nb971ab49349a660c70cb6987b7fb3ed3 .rsrc 4096 1.140488\r\nad5750c9584c0eba32643810ab6e8a53 .reloc 4096 2.515288\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 6.0 DLL\r\nRelationships\r\nea46ed5aed... Dropped_By 077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885\r\nea46ed5aed... Connected_To misswang8107@gmail.com\r\nea46ed5aed... Contains redhat@gmail.com\r\nDescription\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 7 of 15\n\nThis file is a malicious 32-bit Windows DLL that is written to disk then loaded by the file\r\n\"4731CBAEE7ACA37B596E38690160A749\".\r\nWhen executed, the DLL attempts to contact all of the Internet Protocol (IP) addresses on the victim's local subnet. If the\r\nmalware is able to connect to these IP addresses, it will attempt to gain unauthorized access via the SMB protocol on port\r\n445 using a brute-force password attack. The malware contains an embedded password list consisting of commonly used\r\npasswords and generates random external IP addresses, which it attempts to attack.\r\nIf the malware successfully gains access to another system, it will send an email containing the system's IP address,\r\nhostname, username, and password to the following address:\r\n--Begin email address--\r\nmisswang8107@gmail.com\r\n--End email address--\r\nThe email will appear to be from the following address (Refer to Figure 1):\r\n--Begin email address--\r\nredhat@gmail.com\r\n--End email address--\r\nThe malware uses the victim's system folder to create a shared folder named \"adnim$\" by running the following commands\r\nvia a remotely run service:\r\n--Begin commands utilized to create SMB share--\r\ncmd.exe /q /c net share adnim$=%SystemRoot%\r\ncmd.exe /q /c net share adnim$=%%SystemRoot%% /GRANT:%s,FULL\r\n--End commands utilized to create SMB share--\r\nThe malware will then copy itself to newly created shared folder as a file named \"mssscardprv.ax\". After copying the\r\nmalware to the new system it then runs the file on the victim system using a malicious service. The adnim$ share will then\r\nbe deleted from the remote system using the following command:\r\n--Begin command used to delete share--\r\n'cmd.exe /q /c net share adnim$ /delete'\r\n--End command used to delete share--\r\nThe malware determines if Remote Desktop Protocol (RDP) is enabled by attempting to connect to port 3389. If it is able to\r\nconnect to this port, the malware will report RDP is available on the compromised system. This information is provided to\r\nthe operator using the malicious email address provided earlier.\r\nThis malware can communicate with the RAT identified as \"scardprv.dll\" (4613f51087f01715bf9132c704aea2c2). The\r\ncommunication is protected with the Rivest Cipher 4 (RC4) encryption protocol. When attempting to propagate, the\r\nmalware uses the following three usernames combined with a password brute-force attack:\r\n--Begin malicious usernames used by SMB worm--\r\nAdministrateur\r\nAdministrador\r\nAdministrator\r\n--End malicious usernames used by SMB worm--\r\nAlthough the malware uses numerous embedded passwords in its brute force attacks, within our environment the malware\r\nconsistently used the following \"Lan Manager Response\" in its SMB attacks:\r\n--Begin static Lan Manager response--\r\n8C15084FA541079A000000000000000000\r\n--End static Lan Manager response--\r\nThis hexadecimal value may be useful in detecting this worm as it communicates over port 445 and attempts to spread.\r\nSpecifically, when the malware attempts to run a remote service to create the \"adnim$\" share, the following network traffic\r\nis generated:\r\n--Begin network signature--\r\nASCII: cmd.exe /q /c net share adnim$=%SystemRoot% /GRANT:Administrator,FULL\r\nHEX:\r\n636D642E657865202F71202F63206E65742073686172652061646E696D243D2553797374656D526F6F7425202F4752414E543A41646D696E6973747\r\n--End network signature--\r\nScreenshots\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 8 of 15\n\nFigure 1 - The screenshot illustrates the to and from email addresses for data exfiltration.\r\nfe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16\r\nTags\r\nbackdoortrojanworm\r\nDetails\r\nName 298775B04A166FF4B8FBD3609E716945\r\nSize 86016 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 298775b04a166ff4b8fbd3609e716945\r\nSHA1 2e0f666831f64d7383a11b444e2c16b38231f481\r\nSHA256 fe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16\r\nSHA512 adc9bb5a2116134ddf57d1b1765d5981c55828aa8c6719964b0e2eeb6c9068a2acaa98c2e03227a406a4fbfa2f007f5eb9f57a61e3749b8eb0d73\r\nssdeep 768:i+cDn8nAQ5Toz4c0+u5jrdXs+W+aCNkiC8xeC3cs:i+M8ndTozOn5jxF/US0s\r\nEntropy 2.873816\r\nAntivirus\r\nClamAV Win.Trojan.Agent-1388727\r\nESET a variant of Win32/Agent.NVC worm\r\nMcAfee GenericRXCB-TI!298775B04A16\r\nMicrosoft Security Essentials Backdoor:Win32/Joanap.A!dha\r\nSymantec Heur.AdvML.B\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule Enfal_Generic { meta: author = \"NCCIC trusted 3rd party\" incident = \"10135536\" date =\r\n\"2018-04-12\" category = \"hidden_cobra\" family = \"BRAMBUL,JOANAP\" MD5_1 =\r\n\"483B95B1498B615A1481345270BFF87D\" MD5_2 =\r\n\"4731CBAEE7ACA37B596E38690160A749\" MD5_3 =\r\n\"CD60FD107BAACCAFA6C24C1478C345C8\" MD5_4 =\r\n\"298775B04A166FF4B8FBD3609E716945\" Info = \"Detects Hidden Cobra SMB Worm / RAT\"\r\nstrings: $s0 = {6D737373636172647072762E6178} $s1 =\r\n{6E3472626872697138393076393D3032333D30312A2628542D30513332354A314E3B4C4B}\r\n$s2 = {72656468617440676D61696C2E636F6D} $s3 =\r\n{6D69737377616E673831303740676D61696C2E636F6D} $s4 =\r\n{534232755365435632564474} $s5 = {794159334D6559704275415756426341} $s6 =\r\n{705641325941774242347A41346167664B6232614F7A4259} $s7 =\r\n{AE8591916D586DE4F6FB8EE2F0BBF1F9} $s8 =\r\n{F96D5DD36D6D9A87DD6D506D6D6D516D} $s9 =\r\n{43616E6E6F74206372656174652072656D6F74652066696C652E} $s10 =\r\n{43616E6E6F74206F70656E2072656D6F74652066696C65} $s11 =\r\n{663D547D75128D85FCFEFFFF5056} $s12 =\r\n{663D547D75128D85FCFEFFFF5056E88C060000E9A9000000663D557D7512} $s13 =\r\n{663D567D750F8D85FCFEFFFF5056E891070000EB7C663D577D} $s14 =\r\n{3141327A3342347935433678374438773945307624465F754774487349724A71} $s15 =\r\n{393032356A6864686F333965686532} condition: ($s0) or ($s1) or ($s2) or ($s3) or ($s4 and\r\n$s5 and $s6) or ($s7 and $s8) or ($s9 and $s10 and $s11) or ($s12 and $s13) or ($s14 and $s15)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 9 of 15\n\nPE Metadata\r\nCompile Date 2018-01-05 01:22:45-05:00\r\nImport Hash 9f298eba36baa47b98a60cf36fdb2301\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n8a5b06109c3bd4323fa3318f9874d529 header 4096 0.703885\r\n413f30d4d86037b75958b45b9efbe1de .text 20480 6.302858\r\n82b41fefc9aa74a2430f1421fd5fe5b3 .rdata 4096 3.748024\r\nb6f17870ca5f45d4c75e18024e6e1180 .data 53248 1.067897\r\ncda5ef1038742e5ef46b9cfa269b0434 .rsrc 4096 0.608792\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nProcess List\r\nProcess PID PPID\r\nfe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16.exe 2436 (2408)\r\nDescription\r\nThis file is a malicious 32-bit Windows executable file designed to scan the local network and the Internet for machines that\r\nare accessible and have open SMB ports. Once the malware gains access to a remote machine, it will deliver a malicious\r\npayload. This file accepts the following command-line arguments for execution:\r\n--Begin arguments--\r\n-i ==\u003e Create service\r\n-u ==\u003e Control and delete service\r\n-s ==\u003e Start service\r\n-r ==\u003e Run not as a service\r\n-k ==\u003e ControlService\r\n--End arguments--\r\nWhen executed with the \"-i\" argument, the malware installs and executes itself as the following service:\r\n--Begin service information--\r\nServiceName = \"RdpCertification\"\r\nDisplayName = \"Remote Desktop Certification Services\"\r\nDesiredAccess = SERVICE_ALL_ACCESS\r\nServiceType = SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS\r\nStartType = SERVICE_AUTO_START\r\nBinaryPathName = \"%current directory%\\298775B04A166FF4B8FBD3609E716945.exe\"\r\n--End service information--\r\nThe malware creates a mutual exclusion (Mutex) object named \"PlatFormSDK20150201\", then generates a list of IP\r\naddresses using a domain generation algorithm (DGA). The DGA uses the system time in the algorithm to create the list of\r\nIP addresses.\r\nIt generates network traffic over Transmission Control Protocol (TCP) ports 80 and 445 via the victims' IP addresses and the\r\ngenerated IP addresses.\r\nSample HTTP request:\r\n--Begin HTTP request--\r\nOPTIONS / HTTP/1.1\r\ntranslate: f\r\nUser-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600\r\nHost: 159.154.100.0\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 10 of 15\n\nContent-Length: 0\r\nConnection: Keep-Alive\r\n--End HTTP request--\r\nOnce successfully connected to other Windows hosts or the generated IP addresses using port 445, the malware attempts to\r\nuse a hard-coded list of passwords for SMB connections. If the password is correctly guessed, a file share is established. The\r\nmalware uses the following methods to access shares on the remote systems:\r\nTo gain access to remote systems it uses ($IPC) share via “\\\\remote system IP\\$IPC”\r\nIt checks for existing shares by using “\\\\hostname\\adnim$\\system32”\r\nIt will create a new share named \"adnim$\" using the following command:\r\n--Begin new share command--\r\n“cmd.exe /q /c net share adnim$=%SystemRoot%”\r\n“cmd.exe /q /c net share adnim$=%%SystemRoot%% /GRANT:%s,FULL”\r\n--End new share command—\r\nOnce a file share is successfully established, the malware uploads a copy of a payload \"C:\\WINDOWS\\TEMP\\TMP1.tmp\"\r\nand installs it as a service. The malware payload that is uploaded and then run on the newly infected host was not available\r\nat the time of analysis.\r\nThe remote network share is removed after infection using the following command:\r\n--Begin command--\r\n“cmd.exe /q /c net share adnim$ /delete”\r\n--End command--\r\nOnce the payload has been uploaded and executed, the malware uses Simple Mail Transfer Protocol (SMTP) to send\r\ncollected data. The data provides infection status to a remote operator.\r\nDisplayed below are the domain names of the service providers used to send data:\r\n--Begin SMTP domain information--\r\n\"www.hotmail.com\"\r\n--End SMTP domain information--\r\nDisplayed is the structure of the email sent:\r\n--Begin email structure format--\r\nSUBJECT: %s%s%s\r\nTO: Joana \u003c%s\u003e%s\r\nFROM: \u003c%s\u003e%s\r\nDATA%s\r\nRCPT TO: \u003c%s\u003e%s\r\nMAIL FROM: \u003c%s\u003e%s\r\nAUTH LOGIN%s\r\nHELO %s%s\r\n--End email structure format--\r\nDisplayed is a list of brute force passwords used to establish connections:\r\n--Begin brute force password--\r\n!@#$\r\n!@#$%\r\n!@#$%^\r\n!@#$%^\u0026\r\n!@#$%^\u0026*\r\n!@#$%^\u0026*()\r\n\"KGS!@#$%\"\r\n0000\r\n00000\r\n000000\r\n00000000\r\n1111\r\n11111\r\n111111\r\n11111111\r\n11122212\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 11 of 15\n\n1212\r\n121212\r\n123123\r\n123321\r\n1234\r\n12345\r\n123456\r\n1234567\r\n12345678\r\n123456789\r\n123456^%$#@!\r\n1234qwer\r\n123abc\r\n123asd\r\n123qwe\r\n1313\r\n1q2w3e\r\n1q2w3e4r\r\n1qaz2wsx\r\n2009\r\n2010\r\n2011\r\n2012\r\n2013\r\n2014\r\n2015\r\n2016\r\n2017\r\n2018\r\n4321\r\n54321\r\n654321\r\n6969\r\n666666\r\n7777\r\n8888\r\n88888\r\n888888\r\n8888888\r\n88888888\r\nAdmin\r\nabc123\r\nabc@123\r\nabcd\r\nadmin\r\nadmin123\r\nadmin!23\r\nadmin!@#\r\nadministrator\r\nadministrador\r\nasdf\r\nasdfg\r\nasdfgh\r\nasdf123\r\nasdf!23\r\nbaseball\r\nbackup\r\nblank\r\ncisco\r\ncompaq\r\ncontrol\r\ncomputer\r\ncookie123\r\ndatabase\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 12 of 15\n\ndbpassword\r\ndb1234\r\ndefault\r\ndell\r\nenable\r\nfish\r\nfoobar\r\ngateway\r\nguest\r\ngolf\r\nharley\r\nhome\r\niloveyou\r\ninternet\r\nletmein\r\nLogin\r\nlogin\r\nlove\r\nmanager\r\noracle\r\nowner\r\npass\r\npasswd\r\npassword\r\np@ssword\r\npassword1\r\npassword!\r\npassw0rd\r\nPassword1\r\npa55w0rd\r\npw123\r\nq1w2e3\r\nq1w2e3r4\r\nq1w2e3r4t5\r\nq1w2e3r4t5y6\r\nqazwsx\r\nqazwsxedc\r\nqwer\r\nqwert\r\nqwerty\r\n!QAZxsw2\r\nroot\r\nsecret\r\nserver\r\nsqlexec\r\nshadow\r\nsuper\r\nsybase\r\ntemp\r\ntemp123\r\ntest\r\ntest!\r\ntest1\r\ntest123\r\ntest!23\r\nwinxp\r\nwin2000\r\nwin2003\r\nWelcome1\r\nWelcome123\r\nxxxx\r\nyxcv\r\nzxcv\r\nAdministrator\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 13 of 15\n\nAdmin\r\n--End brute force password--\r\nredhat@gmail.com\r\nDetails\r\nAddress redhat@gmail.com\r\nRelationships\r\nredhat@gmail.com Contained_Within ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781\r\nmisswang8107@gmail.com\r\nDetails\r\nAddress misswang8107@gmail.com\r\nRelationships\r\nmisswang8107@gmail.com Connected_From ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781\r\nRelationship Summary\r\n077d9e0e12... Dropped a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717\r\n077d9e0e12... Dropped ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781\r\na1c483b0ee... Dropped_By 077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885\r\nea46ed5aed... Dropped_By 077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885\r\nea46ed5aed... Connected_To misswang8107@gmail.com\r\nea46ed5aed... Contains redhat@gmail.com\r\nredhat@gmail.com Contained_Within ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781\r\nmisswang8107@gmail.com Connected_From ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781\r\nRecommendations\r\nCISA would like to remind users and administrators to consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate ACLs.\r\nAdditional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83,\r\nGuide to Malware Incident Prevention \u0026 Handling for Desktops and Laptops.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 14 of 15\n\nContact Information\r\nDocument FAQ\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to CISA at 1-844-Say-CISA or contact@mail.cisa.dhs.gov .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at www.us-cert.gov.\r\nSource: https://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-149A\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A" ], "report_names": [ "AR18-149A" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434310, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1e1c9aceb38a1cee80f83416bdf2279aefbf1c9f.pdf", "text": "https://archive.orkl.eu/1e1c9aceb38a1cee80f83416bdf2279aefbf1c9f.txt", "img": "https://archive.orkl.eu/1e1c9aceb38a1cee80f83416bdf2279aefbf1c9f.jpg" } }