{
	"id": "38df4fde-dae7-43a0-92d1-46ad2276fbc5",
	"created_at": "2026-04-06T00:13:17.017375Z",
	"updated_at": "2026-04-10T03:38:19.592773Z",
	"deleted_at": null,
	"sha1_hash": "2af7cbfa0f38a26e2b16e82fb6f6584a0200e0c2",
	"title": "MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 229536,
	"plain_text": "MAR-10288834-1.v1 – North Korean Remote Access Tool:\r\nCOPPERHEDGE | CISA\r\nPublished: 2020-05-12 · Archived: 2026-04-02 11:19:33 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS),\r\nthe Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners,\r\nDHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This\r\nmalware variant has been identified as COPPERHEDGE. The U.S. Government refers to malicious cyber activity by the\r\nNorth Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit\r\nhttps[:]//www[.]us-cert.gov/hiddencobra.\r\nFBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to\r\nmaintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR\r\nto enable network defense and reduce exposure to North Korean government malicious cyber activity.\r\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended\r\nmitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the\r\nCybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the\r\nhighest priority for enhanced mitigation.\r\nThe Manuscrypt family of malware is used by advanced persistent threat (APT) cyber actors in the targeting of\r\ncryptocurrency exchanges and related entities. Manuscrypt is a full-featured Remote Access Tool (RAT) capable of running\r\narbitrary commands, performing system reconnaissance, and exfiltrating data. Six distinct variants have been identified\r\nbased on network and code features. The variants are categorized based on common code and a common class structure. A\r\nsymbol remains in some of the implants identifying a class name of \"WinHTTP_Protocol\" and later \"WebPacket\".\r\nFor a downloadable copy of IOCs, see MAR-10288834-1.v1.stix.\r\nThe breakdown for the variants is displayed below:\r\nVariant A\r\nD8AF45210BF931BC5B03215ED30FB731E067E91F25EDA02A404BD55169E3E3C3\r\n7985AF0A87780D27DC52C4F73C38DE44E5AD477CB78B2E8E89708168FBC4A882\r\nVariant B\r\nE98991CDD9DDD30ADF490673C67A4F8241993F26810DA09B52D8748C6160A292\r\n4838F85499E3C68415010D4F19E83E2C9E3F2302290138ABE79C380754F97324\r\nE76B3FD3E906AC23218B1FBD66FD29C3945EE209A29E9462BBC46B07D1645DE2\r\n1FAAA939087C3479441D9F9C83A80AC7EC9B929E626CB34A7417BE9FF0316FF7\r\n3FF4EBAE6C255D4AE6B747A77F2821F2B619825C7789C7EE5338DA5ECB375395\r\nC2F150DBE9A8EFB72DC46416CA29ACDBAE6FD4A2AF16B27F153EAABD4772A2A1\r\n1678327C5F36074CF5F18D1A92C2D9FEA9BFAE6C245EAAD01640FD75AF4D6C11\r\nC0EE19D7545F98FCD15725A3D9F0DBD0F35B2091E1C5B9CF4744F16E81A030C5\r\n9E4BD9676BB3460BE68BA4559A824940A393BDE7613850EDA9196259E453B9F3\r\nEEE38C632C62CA95B5C66F8D39A18E23B9175845560AF84B6A2F69B7F9B6EC1C\r\nF6E1A146543D2903146698DA5698B2A214201720C0BE756C6E8D2A2F27DCFAFF\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 1 of 56\n\nVariant C\r\n37BB27F4EB40B8947E184AFDDBA019001C12F97588E7F596AB6BC07F7C152602\r\nE6FC788B5FF7436DA4450191A003966A68E2A1913C83F1D3AEC78C65F3BA85CA\r\n284BC471647F951C79E3E333B2B19AA37F84CC39B55441A82E2A5F7319131FAC\r\nA1CDB784100906D0AC895297C5A0959AB21A9FB39C687BAF176324EE84095472\r\nVariant D\r\nB4BF6322C67A23553D5A9AF6FCD9510EB613FFAC963A21E32A9CED83132A09BA\r\nVariant E\r\n134B082B418129FFA390FBEE1568BD9510C54BFDD0E6B1F36BC7B8F867E56283\r\nVariant F\r\n0A763DA26A67CB2B09A3AE6E1AC07828065EB980E452CE7D3354347976038E7E\r\n1884DDC53EF66488CA8FC641B438895FCAADA77C15210118465377C63223B3BC\r\nC24C322F4535DEF3F8D1579C39F2F9E323787D15B96E2EE457C38925EFFE2D39\r\nSubmitted Files (22)\r\n0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e (171B9135540F89BF727B690B9E587A...)\r\n134b082b418129ffa390fbee1568bd9510c54bfdd0e6b1f36bc7b8f867e56283 (633BD738AE63B6CE9C2A48CBDDD154...)\r\n1678327c5f36074cf5f18d1a92c2d9fea9bfae6c245eaad01640fd75af4d6c11 (86D3C1B354CE696E454C42D8DC6DF1...)\r\n1884ddc53ef66488ca8fc641b438895fcaada77c15210118465377c63223b3bc (22F8D2A0C8D9B54A553FCA1B2393B2...)\r\n1faaa939087c3479441d9f9c83a80ac7ec9b929e626cb34a7417be9ff0316ff7 (667CF9E8EC1DAC7812F92BD77AF702...)\r\n284bc471647f951c79e3e333b2b19aa37f84cc39b55441a82e2a5f7319131fac (DB590EA77A92AE6435E2EC954D065E...)\r\n37bb27f4eb40b8947e184afddba019001c12f97588e7f596ab6bc07f7c152602 (A8B6EC51ED88C0329FD3329CB615BB...)\r\n3ff4ebae6c255d4ae6b747a77f2821f2b619825c7789c7ee5338da5ecb375395 (A7C804B62AE93D708478949F498342...)\r\n4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324 (EB6275A24D047E3BE05C2B4E5F5070...)\r\n7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882 (C6801F90AAA11CE81C9B66450E0029...)\r\n9e4bd9676bb3460be68ba4559a824940a393bde7613850eda9196259e453b9f3 (668D5B5761755C9D061DA74CB21A8B...)\r\na1cdb784100906d0ac895297c5a0959ab21a9fb39c687baf176324ee84095472 (0856655351ACFFA1EE459EEEAF1647...)\r\nb4bf6322c67a23553d5a9af6fcd9510eb613ffac963a21e32a9ced83132a09ba (34C2AC6DAA44116713F882694B6B41...)\r\nc0ee19d7545f98fcd15725a3d9f0dbd0f35b2091e1c5b9cf4744f16e81a030c5 (5182E7A2037717F2F9BBF6BA298C48...)\r\nc24c322f4535def3f8d1579c39f2f9e323787d15b96e2ee457c38925effe2d39 (FDD55A38A45DE8AF6F8C34A33BAE11...)\r\nc2f150dbe9a8efb72dc46416ca29acdbae6fd4a2af16b27f153eaabd4772a2a1 (86685EC8C3C717AA2A9702E2C9DEC3...)\r\nd8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3 (12C786C490366727CF7279FC141921...)\r\ne6fc788b5ff7436da4450191a003966a68e2a1913c83f1d3aec78c65f3ba85ca (117FA0B8B8B965680C7B630C6E2BF0...)\r\ne76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2 (AA7F506B0C30D76557C82DBA45116C...)\r\ne98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292 (912F87392A889070DBB1097A82CCD9...)\r\neee38c632c62ca95b5c66f8d39a18e23b9175845560af84b6a2f69b7f9b6ec1c (35E38D023B253C0CD9BD3E16AFC362...)\r\nf6e1a146543d2903146698da5698b2a214201720c0be756c6e8d2a2f27dcfaff (72FE869AA394EF0A62BB8324857770...)\r\nDomains (42)\r\n028xmz.com\r\n168wangpi.com\r\n33cow.com\r\n3x-tv.com\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 2 of 56\n\n51shousheng.com\r\n530hr.com\r\n919xy.com\r\n92myhw.com\r\n97nb.net\r\naedlifepower.com\r\naisou123.com\r\naloe-china.com\r\nanlway.com\r\nap8898.com\r\napshenyihl.com\r\nas-brant.ru\r\naurumgroup.co.id\r\nbogorcenter.com\r\ncabba-cacao.com\r\ncastorbyg.dk\r\ncreativefishstudio.com\r\ndanagloverinteriors.com\r\nduratransgroup.com\r\neventum.cwsdev3.biz\r\neygingenieros.com\r\ngrowthincone.com\r\ninverstingpurpose.com\r\nlocphuland.com\r\nmarkcoprintandcopy.com\r\nmarmarademo.com\r\nmatthias-dlugi.de\r\nnew.titanik.fr\r\nnuokejs.com\r\npakteb.com\r\nqdbazaar.com\r\nrhythm86.com\r\nrxrenew.us\r\nsensationalsecrets.com\r\nstokeinvestor.com\r\nstreamf.ru\r\ntheinspectionconsultant.com\r\nvinhsake.com\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 3 of 56\n\nFindings\r\nd8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName 12C786C490366727CF7279FC141921D8\r\nSize 166400 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 12c786c490366727cf7279fc141921d8\r\nSHA1 a2e966edee45b30bb6bb5c978e55833eec169098\r\nSHA256 d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3\r\nSHA512 3abe4cd0d287fdf38715feac4096a16ed8c9ed113897e8e8e26d22adb4346df3c8a14a2c6660fbc2e01beb98e5cc770616866e5e319cfd9562\r\nssdeep 3072:G2K5QbCpgMFlQ0O4t5E13j0S0wBiCRcnHaApUiCDyY:G2bSQ0NS3jq6Apm\r\nEntropy 6.529499\r\nAntivirus\r\nAhnlab Trojan/Win32.Manuscrypt\r\nAntiy Trojan/Win32.Manuscrypt\r\nAvira TR/AD.APTLazerus.gqbgi\r\nBitDefender Gen:Variant.Graftor.452205\r\nClamAV Win.Trojan.Agent-6459669-0\r\nCyren W32/Nukesped.EBPS-8656\r\nESET a variant of Win32/NukeSped.AG trojan\r\nEmsisoft Gen:Variant.Graftor.452205 (B)\r\nIkarus Trojan-Spy.Agent\r\nK7 Trojan ( 005202c91 )\r\nMcAfee HiddenCobra!12C786C49036\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.M!dha\r\nNANOAV Trojan.Win32.Manuscrypt.eyleld\r\nNetGate Trojan.Win32.Malware\r\nSophos Troj/Agent-AYKU\r\nSymantec Backdoor.Cruprox\r\nSystweak malware.gen-ra\r\nTrendMicro TROJ_NUKESPED.B\r\nTrendMicro House Call TROJ_NUKESPED.B\r\nVir.IT eXplorer Trojan.Win32.Genus.BGU\r\nVirusBlokAda BScope.Trojan.Manuscrypt\r\nZillya! Trojan.Manuscrypt.Win32.10\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 4 of 56\n\nYARA Rules\r\nrule CISA_3P_10135536_24 : success_fail_codes\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10135536-A\"\r\n       Date = \"2017-11-14\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"n/a\"\r\n       Family = \"FALLCHILL\"\r\n       Description = \"\"\r\n   strings:\r\n       $s0 = { 68 7a 34 12 00 }\r\n       $s1 = { ba 7a 34 12 00 }\r\n       $f0 = { 68 5c 34 12 00 }\r\n       $f1 = { ba 5c 34 12 00 }\r\n   condition:\r\n       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))\r\n}\r\nrule CISA_3P_10135536_24 : success_fail_codes\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10135536-A\"\r\n       Date = \"2017-11-14\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"n/a\"\r\n       Family = \"FALLCHILL\"\r\n       Description = \"\"\r\n   strings:\r\n       $s0 = { 68 7a 34 12 00 }\r\n       $s1 = { ba 7a 34 12 00 }\r\n       $f0 = { 68 5c 34 12 00 }\r\n       $f1 = { ba 5c 34 12 00 }\r\n   condition:\r\n       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-02-24 01:52:42-05:00\r\nImport Hash 04f1d2f5c7c06a209c29beeff2fce817\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nc37a64a60af18ec7b8360e84d5b85d0d header 1024 2.917803\r\n3056f69baa8301ae1f6aef85bf88d0b8 .text 121344 6.526051\r\n3c4cc09c827a1bb000669e8922d7d6d9 .rdata 29184 5.443973\r\n4cda142760a96a9e47daeafc0ea5ed7c .data 5120 5.302725\r\n8b7fa4533b5f57eebfd85a72154aeafe .gfids 512 2.058608\r\nf040daaf746c66507cba208212c65d00 .rsrc 2560 2.715102\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 5 of 56\n\nMD5 Name Raw Size Entropy\r\n0d82adf85bb2476ed8bd2bb6c297e301 .reloc 6656 6.477462\r\nPackers/Compilers/Cryptors\r\nRelationships\r\nd8af45210b... Connected_To 530hr.com\r\nd8af45210b... Connected_To 028xmz.com\r\nd8af45210b... Connected_To 168wangpi.com\r\nDescription\r\nThis file is a 32-bit Dynamic Link Library (DLL) and has been identified as Variant A. Variant A uses RC4 encryption to\r\nobfuscate import loading with an RC4 key of \"0x78292E4C5DA3B5D067F081B736E5D593\". A hard-coded string of\r\n\"*dJU!*JE\u0026!M@UNQ@\" is embedded in the malware beacons. This variant also obfuscates Hypertext Transfer Protocol\r\n(HTTP) header strings using a custom character manipulation where the certain ranges of characters are modified by either\r\nadding or subtracting a constant value 9.\r\nVariant A will generate HTTP POST requests with the following format:\r\n--Begin HTTP POST request--\r\nPOST /\u003curi\u003e HTTP/1.1\r\nConnection: keep-alive\r\nCache-Control: max-age=0\r\nAccept: */*\r\nContent-Type: multipart/form-data; boundary=----FormBoundary\u003crandomCharacters\u003e\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: ko-KR\r\nUser-Agent: \u003cobtained from ObtainUserAgentString otherwise: Mozilla/5.0 (Windows NT 6.1; WOW64)\r\nChrome/28.0.1500.95 Safari/537.36\u003e\r\nHost: \u003cdomain\u003e\r\nContent-Length: \u003clength\u003e\r\n------FormBoundary\u003crandomCharacters\u003e\r\nContent-Disposition: form-data; name=\"board_id\"\r\n\u003csessionID\u003e\r\n------FormBoundary\u003crandomCharacters\u003e\r\nContent-Disposition: form-data; name=\"user_id\"\r\n\u003c*dJU!*JE\u0026!M@UNQ@ if beacon request otherwise empty\u003e\r\n------FormBoundary\u003crandomCharacters\u003e\r\nContent-Disposition: form-data; name=\"file1\"; filename=\"\u003crandomly picked\u003e\"\r\nContent-Type: application/octet-stream\r\n\u003cdatagram\u003e\r\n--End HTTP POST request--\r\nVariant A uses a custom algorithm to encrypt data from datagrams. An implementation of the algorithm is provided below:\r\n--Begin custom algorithm--\r\nmodVal = 0x6be\r\naddVal = 0x95d9\r\nkeyVal = 0x25\r\ndef encrypt(data):\r\n   global keyVal\r\n   r = \"\"\r\n   for c in data:\r\n       r += chr((ord(c) ^ keyVal) \u0026 0xff)\r\n       keyVal = (((ord(c) + keyVal) % modVal) + addVal) \u0026 0xffffffff\r\n   return r\r\n--End custom algorithm--\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 6 of 56\n\nScreenshots\r\nFigure 1 - Variant A contains the commands displayed in the table.\r\n530hr.com\r\nTags\r\ncommand-and-control\r\nURLs\r\n530hr.com/data/common.php\r\nRelationships\r\n530hr.com Connected_From d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3\r\n530hr.com Connected_From 7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882\r\nDescription\r\n12C786C490366727CF7279FC141921D8 and C6801F90AAA11CE81C9B66450E002972 attempt to connect to the\r\ndomain.\r\n028xmz.com\r\nTags\r\ncommand-and-control\r\nURLs\r\n028xmz.com/include/common.php\r\nRelationships\r\n028xmz.com Connected_From d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3\r\n028xmz.com Connected_From 7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882\r\nDescription\r\n12C786C490366727CF7279FC141921D8 and C6801F90AAA11CE81C9B66450E002972 attempt to connect to the\r\ndomain.\r\n168wangpi.com\r\nTags\r\ncommand-and-control\r\nURLs\r\n168wangpi.com/include/charset.php\r\nRelationships\r\n168wangpi.com Connected_From d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3\r\n168wangpi.com Connected_From 7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882\r\nDescription\r\n12C786C490366727CF7279FC141921D8 and C6801F90AAA11CE81C9B66450E002972 attempt to connect to the\r\ndomain.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 7 of 56\n\n7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882\r\nTags\r\nbackdoorbottrojan\r\nDetails\r\nName C6801F90AAA11CE81C9B66450E002972\r\nSize 176640 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 c6801f90aaa11ce81c9b66450e002972\r\nSHA1 4e30ebb98bb9f984c05eb0c0a365ff95305e8c55\r\nSHA256 7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882\r\nSHA512 2568ed6468f6d6b4ec6a930e003b04a2fd9e3379ac9fa320f6130f789ff8471ef2ca596ef2699bc45fd0997a5972243627199eb94e42028fcaf\r\nssdeep 3072:FhjE3GVSDW52icOf+CDqRHiEGK+M/0ivZSRMlxbs6D79vrXqx7C5:DE3o52Q+VRHiEGK+M/1hSmZ67\r\nEntropy 6.244198\r\nAntivirus\r\nAhnlab Trojan/Win32.Manuscrypt\r\nAntiy Trojan/Win32.Manuscrypt\r\nAvira TR/Autophyte.fadtc\r\nBitDefender Trojan.GenericKD.40166196\r\nESET a variant of Win64/NukeSped.AL trojan\r\nEmsisoft Trojan.GenericKD.40166196 (B)\r\nIkarus Trojan-Spy.Agent\r\nK7 Riskware ( 0040eff71 )\r\nMcAfee HiddenCobra!C6801F90AAA1\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.M!dha\r\nNANOAV Trojan.Win64.Manuscrypt.eyolaj\r\nNetGate Trojan.Win32.Malware\r\nSophos Troj/Agent-AYKV\r\nSymantec Backdoor.Cruprox\r\nSystweak trojan-backdoor.bot\r\nTrendMicro TROJ64_.8C3165BD\r\nTrendMicro House Call TROJ64_.8C3165BD\r\nVir.IT eXplorer Trojan.Win32.Genus.BGU\r\nVirusBlokAda Trojan.Manuscrypt\r\nZillya! Trojan.NukeSped.Win64.13\r\nYARA Rules\r\nrule CISA_3P_10135536_24 : success_fail_codes\r\n{\r\n   meta:\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 8 of 56\n\nAuthor = \"CISA Trusted Third Party\"\r\n       Incident = \"10135536-A\"\r\n       Date = \"2017-11-14\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"n/a\"\r\n       Family = \"FALLCHILL\"\r\n       Description = \"\"\r\n   strings:\r\n       $s0 = { 68 7a 34 12 00 }\r\n       $s1 = { ba 7a 34 12 00 }\r\n       $f0 = { 68 5c 34 12 00 }\r\n       $f1 = { ba 5c 34 12 00 }\r\n   condition:\r\n       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))\r\n}\r\nrule CISA_3P_10135536_24 : success_fail_codes\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10135536-A\"\r\n       Date = \"2017-11-14\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"n/a\"\r\n       Family = \"FALLCHILL\"\r\n       Description = \"\"\r\n   strings:\r\n       $s0 = { 68 7a 34 12 00 }\r\n       $s1 = { ba 7a 34 12 00 }\r\n       $f0 = { 68 5c 34 12 00 }\r\n       $f1 = { ba 5c 34 12 00 }\r\n   condition:\r\n       (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-02-24 01:52:37-05:00\r\nImport Hash a789d7d213a81de1ef22719353b5a15a\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n5869d6b6233e336c6aad801596ad0467 header 1024 3.153109\r\n33470b7e064ef6a3d0da14b6ce12cf0f .text 111104 6.424442\r\n39564530ada80c0adb6a0d5b0c53cb96 .rdata 46592 5.184555\r\nbbf22987d7c4bfec2c3fdf371454d2b6 .data 6144 4.989277\r\n74b4e027ae891b3728ab6efa84bd2614 .pdata 6656 5.232089\r\n346bac74e00a330d731022626b43a9c3 .gfids 512 1.773634\r\n9f5bcd42d44606048eb3e04477c78ac7 .rsrc 2560 2.714498\r\na8898561836ddcc26054cd0933d39599 .reloc 2048 4.853460\r\nRelationships\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 9 of 56\n\n7985af0a87... Connected_To 530hr.com\r\n7985af0a87... Connected_To 028xmz.com\r\n7985af0a87... Connected_To 168wangpi.com\r\nDescription\r\nThis file is a 64-bit DLL and has been identified as Variant A. Refer to 12C786C490366727CF7279FC141921D8 for\r\nanalysis.\r\ne98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName 912F87392A889070DBB1097A82CCD93F\r\nSize 128512 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 912f87392a889070dbb1097a82ccd93f\r\nSHA1 58c5b86691dc922945c8204b465e76fc15c498fb\r\nSHA256 e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292\r\nSHA512 968d7ff1a39b95428d139d0c7febd76ebcd37612c133ac238fb2a2accf853a2ceb5827f2344c09dafcd7e5936ddbc4da401bcb328d48315843\r\nssdeep 1536:Jg6dIYHXVp0AMkysbkQfRkChJlTToZdRYKgZXTrP5Dr4vDQeAsWq8McdLEA8CHr:FdnXVpIsXRjlTToNYKgZjiDwLEA8C\r\nEntropy 6.559526\r\nAntivirus\r\nAhnlab Trojan/Win32.Lumal\r\nAvira TR/AD.APTLazerus.yvywt\r\nBitDefender Trojan.GenericKD.30910621\r\nClamAV Win.Trojan.Autophyte-6582725-0\r\nESET Win32/NukeSped.EI trojan\r\nEmsisoft Trojan.GenericKD.30910621 (B)\r\nIkarus Trojan.Win32.Autophyte\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.F!dha\r\nNANOAV Trojan.Win32.Manuscrypt.fdnkqz\r\nNetGate Trojan.Win32.Malware\r\nQuick Heal Trojan.Manuscrypt\r\nSophos Troj/Mdrop-IEI\r\nSymantec Trojan Horse\r\nSystweak malware.gen-ra\r\nTrendMicro BKDR_NU.91A5ED8F\r\nTrendMicro House Call BKDR_NU.91A5ED8F\r\nVir.IT eXplorer Backdoor.Win32.NukeSped.S\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 10 of 56\n\nVirusBlokAda BScope.Trojan.Manuscrypt\r\nZillya! Trojan.Manuscrypt.Win32.15\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-05-30 23:29:44-04:00\r\nImport Hash 95dff862e0b00db0b05bcf957ad9e12e\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nf72cbf29269ccff8e8ad284f34fbc0b1 header 1024 2.894160\r\n50ec6e3135350d312c343fb6f8663146 .text 89600 6.597021\r\nf276082813b38691ceeb9a5d6cc631b3 .rdata 28160 5.353008\r\nd8727a0a5051d7418591aae3a42a3f01 .data 3072 4.460652\r\n7d67fff10fcba2d1075511a8598e6906 .gfids 512 1.761800\r\n89b7e19270b2a5563c301b84b28e423f .rsrc 512 4.714485\r\n14cf8bfde5b679909af8942ae7ca3ca6 .reloc 5632 6.597866\r\nPackers/Compilers/Cryptors\r\nRelationships\r\ne98991cdd9... Connected_To marmarademo.com\r\ne98991cdd9... Connected_To 33cow.com\r\ne98991cdd9... Connected_To 97nb.net\r\nDescription\r\nThis file is a 32-bit DLL and has been identified as Variant B. Variant B generates an HTTP POST request similar to Variant\r\nA. However, in Variant B datagrams are RC4 encrypted. The implant maintains separate RC4 key streams for each side of\r\nthe conversation. The RC4 key used is \"0x271A16AB6D7A900EF3FA677DCE8AB268\". The RC4 key streams will reset\r\nafter the implant receives a \"SystemInfo\" command. Variant B performs the same RC4 key as variant A for Application\r\nProgramming Interface (API) obfuscation.\r\nScreenshots\r\nFigure 2 - Variant B contains the commands displayed in the table.\r\nmarmarademo.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nmarmarademo.com/include/extend.php\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 11 of 56\n\nRelationships\r\nmarmarademo.com Connected_From e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292\r\nDescription\r\n912F87392A889070DBB1097A82CCD93F attempts to connect to the domain.\r\n33cow.com\r\nTags\r\ncommand-and-control\r\nURLs\r\n33cow.com/include/control.php\r\nRelationships\r\n33cow.com Connected_From e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292\r\nDescription\r\n912F87392A889070DBB1097A82CCD93F attempts to connect to the domain.\r\n97nb.net\r\nTags\r\ncommand-and-control\r\nURLs\r\n97nb.net/include/arc.sglistview.php\r\nRelationships\r\n97nb.net Connected_From e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292\r\nDescription\r\n912F87392A889070DBB1097A82CCD93F attempts to connect to the domain.\r\n4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName EB6275A24D047E3BE05C2B4E5F50703D\r\nSize 128512 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 eb6275a24d047e3be05c2b4e5f50703d\r\nSHA1 62faf15eddb64dce9a2b1ba242254271facffd9f\r\nSHA256 4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324\r\nSHA512 f2715f867a1729d3ff77a5ee561da0df0f736517d0f0197e726e2a5867d21c16f0558afd8e6b38d9a166d0715b51d95407943865e577fb01c1\r\nssdeep 3072:wIjV9Tmp7TvnhplTznm4qg5aHDwU+A8Yr:ljV9ap7TPPlmbay8Y\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 12 of 56\n\nEntropy 6.561793\r\nAntivirus\r\nAhnlab Trojan/Win32.Lumal\r\nAntiy Trojan/Win32.TSGeneric\r\nAvira TR/AD.LazerusAPT.bowts\r\nBitDefender Trojan.GenericKD.40293468\r\nClamAV Win.Trojan.Autophyte-6582725-0\r\nESET Win32/NukeSped.EN trojan\r\nEmsisoft Trojan.GenericKD.40293468 (B)\r\nIkarus Trojan.Win32.Autophyte\r\nK7 Riskware ( 0040eff71 )\r\nMcAfee Generic BackDoor.gx\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.F!dha\r\nNANOAV Trojan.Win32.Manuscrypt.fekufg\r\nSophos Troj/Bdoor-BHF\r\nSymantec Trojan.Gen.6\r\nTrendMicro BKDR_NUKESPED.H\r\nTrendMicro House Call BKDR_NUKESPED.H\r\nVir.IT eXplorer Backdoor.Win32.NukeSped.S\r\nVirusBlokAda BScope.Trojan.Manuscrypt\r\nZillya! Trojan.Manuscrypt.Win32.14\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-06-03 21:31:48-04:00\r\nImport Hash 95dff862e0b00db0b05bcf957ad9e12e\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n588b2a99aa2dbacf19c05e5e363a0056 header 1024 2.899780\r\n0726d6e7fdcc41dca2a7fd81df61e0a5 .text 89600 6.597775\r\nc81a53a721abdd9f27386c7590d39c8b .rdata 28160 5.358969\r\nd8727a0a5051d7418591aae3a42a3f01 .data 3072 4.460652\r\n7fd4f016c8992181e34904887d12f90f .gfids 512 1.785783\r\n89b7e19270b2a5563c301b84b28e423f .rsrc 512 4.714485\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 13 of 56\n\nMD5 Name Raw Size Entropy\r\n13444aa676e19fb0c746d2cd954477d5 .reloc 5632 6.600614\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n4838f85499... Connected_To anlway.com\r\n4838f85499... Connected_To apshenyihl.com\r\n4838f85499... Connected_To ap8898.com\r\nDescription\r\nThis file is a 32-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for\r\nanalysis.\r\nanlway.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nanlway.com/include/arc.search.class.php\r\nRelationships\r\nanlway.com Connected_From 4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324\r\nDescription\r\nEB6275A24D047E3BE05C2B4E5F50703D attempts to connect to the domain.\r\napshenyihl.com\r\nTags\r\ncommand-and-control\r\nURLs\r\napshenyihl.com/include/arc.speclist.class.php\r\nRelationships\r\napshenyihl.com Connected_From 4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324\r\nDescription\r\nEB6275A24D047E3BE05C2B4E5F50703D attempts to connect to the domain.\r\nap8898.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nap8898.com/include/arc.search.class.php\r\nRelationships\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 14 of 56\n\nap8898.com Connected_From 4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324\r\nDescription\r\nEB6275A24D047E3BE05C2B4E5F50703D attempts to connect to the domain.\r\ne76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2\r\nTags\r\nbackdoorbottrojan\r\nDetails\r\nName AA7F506B0C30D76557C82DBA45116CCC\r\nSize 128512 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 aa7f506b0c30d76557c82dba45116ccc\r\nSHA1 b12d174088629f4e3e0009661ca589fc9f17f66a\r\nSHA256 e76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2\r\nSHA512 38e119207cf99b6b51f41f79f05a9796b5db68c96243596f25287a82454fc31fc7398fee78940308f2a141907e736f52c4a95efbd00c3d95e6a\r\nssdeep 3072:MImnlpLjPVxPlTDYlI6gJow9DwUkA8pED8:hmnlpLjNJql7KR8qD\r\nEntropy 6.562090\r\nAntivirus\r\nAhnlab Trojan/Win32.Lumal\r\nAntiy Trojan/Win32.Manuscrypt\r\nAvira TR/AD.LazerusAPT.kgbeu\r\nBitDefender Trojan.GenericKD.31008542\r\nClamAV Win.Trojan.Autophyte-6582725-0\r\nESET a variant of Win32/NukeSped.EN trojan\r\nEmsisoft Trojan.GenericKD.31008542 (B)\r\nIkarus Trojan.Win32.Autophyte\r\nK7 Riskware ( 0040eff71 )\r\nMcAfee RDN/Generic.diz\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.F!dha\r\nNANOAV Trojan.Win32.Manuscrypt.femlit\r\nNetGate Trojan.Win32.Malware\r\nSymantec Trojan.Gen.2\r\nSystweak trojan-backdoor.bot\r\nTrendMicro Backdoo.C7D30B55\r\nTrendMicro House Call Backdoo.C7D30B55\r\nVirusBlokAda BScope.Trojan.Manuscrypt\r\nZillya! Trojan.Manuscrypt.Win32.13\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 15 of 56\n\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-06-17 21:16:04-04:00\r\nImport Hash 95dff862e0b00db0b05bcf957ad9e12e\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n345f78e492d087ea0094b7b1a6f47748 header 1024 2.895517\r\n4a636a6ed82a4e4197590534c75a6594 .text 89600 6.598985\r\ne212140f652f7d7ff7d1656d4a9760b7 .rdata 28160 5.356656\r\nd8727a0a5051d7418591aae3a42a3f01 .data 3072 4.460652\r\n4a3c3b184454a27b36332e5a5d8d221c .gfids 512 1.769477\r\n89b7e19270b2a5563c301b84b28e423f .rsrc 512 4.714485\r\nbec045baa0e06b05d5e27a3ce159e66b .reloc 5632 6.591434\r\nPackers/Compilers/Cryptors\r\nRelationships\r\ne76b3fd3e9... Connected_To aloe-china.com\r\ne76b3fd3e9... Connected_To 92myhw.com\r\ne76b3fd3e9... Connected_To aisou123.com\r\nDescription\r\nThis file is a 32-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for\r\nanalysis.\r\naloe-china.com\r\nTags\r\ncommand-and-control\r\nURLs\r\naloe-china.com/include/bottom.php\r\nRelationships\r\naloe-china.com Connected_From e76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2\r\nDescription\r\nAA7F506B0C30D76557C82DBA45116CCC attempts to connect to the domain.\r\n92myhw.com\r\nTags\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 16 of 56\n\ncommand-and-control\r\nURLs\r\n92myhw.com/include/inc/inc_common.php\r\nRelationships\r\n92myhw.com Connected_From e76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2\r\nDescription\r\nAA7F506B0C30D76557C82DBA45116CCC attempts to connect to the domain.\r\naisou123.com\r\nTags\r\ncommand-and-control\r\nURLs\r\naisou123.com/include/dialog/common.php\r\nRelationships\r\naisou123.com Connected_From e76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2\r\nDescription\r\nAA7F506B0C30D76557C82DBA45116CCC attempts to connect to the domain.\r\n1faaa939087c3479441d9f9c83a80ac7ec9b929e626cb34a7417be9ff0316ff7\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName 667CF9E8EC1DAC7812F92BD77AF702A1\r\nSize 128512 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 667cf9e8ec1dac7812f92bd77af702a1\r\nSHA1 880fb67893d8ce559857ca783a701b5ca675eb40\r\nSHA256 1faaa939087c3479441d9f9c83a80ac7ec9b929e626cb34a7417be9ff0316ff7\r\nSHA512 83551fc0a12546380e0975f02fb2aff65ceab76885e9a1d47d7726b2e48d0c8cb0871c2036778c9beeaa6d9ad455501941eff51db00bec0014\r\nssdeep 3072:tIjV94Vp7TPnhalTDY2I6gJ66dDwUGA8Qr:qjV9mp7TvQq27Kf8Q\r\nEntropy 6.561257\r\nAntivirus\r\nAhnlab Trojan/Win32.Lumal\r\nAntiy Trojan/Win32.TSGeneric\r\nAvira TR/AD.LazerusAPT.nbtos\r\nBitDefender Trojan.GenericKD.40344666\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 17 of 56\n\nClamAV Win.Trojan.Autophyte-6582725-0\r\nESET a variant of Win32/NukeSped.EN trojan\r\nEmsisoft Trojan.GenericKD.40344666 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Riskware ( 0040eff71 )\r\nMcAfee Generic Trojan.fk\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.F!dha\r\nNANOAV Trojan.Win32.Manuscrypt.fekufg\r\nNetGate Trojan.Win32.Malware\r\nSymantec Trojan.Gen.2\r\nTACHYON Trojan/W32.Backdoor.128512\r\nTrendMicro BKDR_NU.28D976A2\r\nTrendMicro House Call BKDR_NU.28D976A2\r\nVir.IT eXplorer Backdoor.Win32.NukeSped.S\r\nVirusBlokAda BScope.Trojan.Manuscrypt\r\nZillya! Trojan.GenericKD.Win32.143947\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-07-23 20:17:47-04:00\r\nImport Hash 95dff862e0b00db0b05bcf957ad9e12e\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n30089c82e2388a4d7f83605bcd432c1e header 1024 2.897568\r\n21c783005e4e290d2d7e225fd0a17cbf .text 89600 6.598159\r\n1e3e3c4c6bee90a10fc476303ce8b1ae .rdata 28160 5.354056\r\nd8727a0a5051d7418591aae3a42a3f01 .data 3072 4.460652\r\n7fd4f016c8992181e34904887d12f90f .gfids 512 1.785783\r\n89b7e19270b2a5563c301b84b28e423f .rsrc 512 4.714485\r\n6eb49c61e08a4c2613747f6b09b79fcb .reloc 5632 6.606865\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n1faaa93908... Connected_To markcoprintandcopy.com\r\n1faaa93908... Connected_To aedlifepower.com\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 18 of 56\n\n1faaa93908... Connected_To 919xy.com\r\nDescription\r\nThis file is a 32-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for\r\nanalysis.\r\nmarkcoprintandcopy.com\r\nURLs\r\nmarkcoprintandcopy.com/data/helper.php\r\nRelationships\r\nmarkcoprintandcopy.com Connected_From 1faaa939087c3479441d9f9c83a80ac7ec9b929e626cb34a7417be9ff0316ff7\r\nDescription\r\n667CF9E8EC1DAC7812F92BD77AF702A1 attempts to connect to the domain.\r\naedlifepower.com\r\nTags\r\ncommand-and-control\r\nURLs\r\naedlifepower.com/include/image.php\r\nRelationships\r\naedlifepower.com Connected_From 1faaa939087c3479441d9f9c83a80ac7ec9b929e626cb34a7417be9ff0316ff7\r\nDescription\r\n667CF9E8EC1DAC7812F92BD77AF702A1 attempts to connect to the domain.\r\n919xy.com\r\nTags\r\ncommand-and-control\r\nURLs\r\n919xy.com/contactus/about.php\r\nRelationships\r\n919xy.com Connected_From 1faaa939087c3479441d9f9c83a80ac7ec9b929e626cb34a7417be9ff0316ff7\r\nDescription\r\n667CF9E8EC1DAC7812F92BD77AF702A1 attempts to connect to the domain.\r\n3ff4ebae6c255d4ae6b747a77f2821f2b619825c7789c7ee5338da5ecb375395\r\nTags\r\ntrojan\r\nDetails\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 19 of 56\n\nName A7C804B62AE93D708478949F498342F9\r\nSize 128512 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 a7c804b62ae93d708478949f498342f9\r\nSHA1 09db826a7b6dbb16e2d7b3046e0da9fe7342f00f\r\nSHA256 3ff4ebae6c255d4ae6b747a77f2821f2b619825c7789c7ee5338da5ecb375395\r\nSHA512 c186485779ef22e6b65b3ba43a4290026d7b97b0d98ab8fe35f811c911be80402ea8bdf89e9c7169b3e7168d1e6a55eaa3fb8fd2165e55d9a4\r\nssdeep 1536:JkkY5dY/p7aY3xkuvxaSfhkSn5lTToZkBYKgZXTrP5zr4t8DQeAsWq8McdC5vA8G:Ck0Y/p7TvFhllTToGYKgZj7DwC5vA8E\r\nEntropy 6.557876\r\nAntivirus\r\nAhnlab Trojan/Win32.Lumal\r\nAntiy Trojan/Win32.Manuscrypt\r\nAvira TR/AD.LazerusAPT.vwvsu\r\nBitDefender Trojan.GenericKD.40376367\r\nClamAV Win.Trojan.Autophyte-6582725-0\r\nESET a variant of Win32/NukeSped.EN trojan\r\nEmsisoft Trojan.GenericKD.40376367 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 00539ca21 )\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.F!dha\r\nNANOAV Trojan.Win32.NukeSped.fgiarj\r\nSymantec Trojan.Gen.2\r\nTACHYON Trojan/W32.Agent.128512.AAF\r\nTrendMicro Backdoo.C7D30B55\r\nTrendMicro House Call Backdoo.C7D30B55\r\nVirusBlokAda BScope.Trojan.Manuscrypt\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-08-02 21:34:02-04:00\r\nImport Hash 95dff862e0b00db0b05bcf957ad9e12e\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n39810a1d06213e840b94fbb1b3858b7c header 1024 2.896592\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 20 of 56\n\nMD5 Name Raw Size Entropy\r\n197d2613ce721b378472dfa545446db5 .text 89600 6.595346\r\nb875ef9ee01d6efadfad0d1b788851d1 .rdata 28160 5.352208\r\nd8727a0a5051d7418591aae3a42a3f01 .data 3072 4.460652\r\n302771a063d00e731afc38a29a0eda64 .gfids 512 1.779168\r\n89b7e19270b2a5563c301b84b28e423f .rsrc 512 4.714485\r\n324d867372c3590e64d7eb61f4cd1de5 .reloc 5632 6.594775\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n3ff4ebae6c... Connected_To pakteb.com\r\n3ff4ebae6c... Connected_To nuokejs.com\r\n3ff4ebae6c... Connected_To qdbazaar.com\r\nDescription\r\nThis file is a 32-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for\r\nanalysis.\r\npakteb.com\r\nTags\r\ncommand-and-control\r\nURLs\r\npakteb.com/include/left.php\r\nRelationships\r\npakteb.com Connected_From 3ff4ebae6c255d4ae6b747a77f2821f2b619825c7789c7ee5338da5ecb375395\r\npakteb.com Connected_From c2f150dbe9a8efb72dc46416ca29acdbae6fd4a2af16b27f153eaabd4772a2a1\r\nDescription\r\nA7C804B62AE93D708478949F498342F9 and 86685EC8C3C717AA2A9702E2C9DEC379 attempt to connect to the\r\ndomain.\r\nnuokejs.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nnuokejs.com/contactus/about.php\r\nRelationships\r\nnuokejs.com Connected_From 3ff4ebae6c255d4ae6b747a77f2821f2b619825c7789c7ee5338da5ecb375395\r\nnuokejs.com Connected_From c2f150dbe9a8efb72dc46416ca29acdbae6fd4a2af16b27f153eaabd4772a2a1\r\nDescription\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 21 of 56\n\nA7C804B62AE93D708478949F498342F9 and 86685EC8C3C717AA2A9702E2C9DEC379 attempt to connect to the\r\ndomain.\r\nqdbazaar.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nqdbazaar.com/include/footer.php\r\nRelationships\r\nqdbazaar.com Connected_From 3ff4ebae6c255d4ae6b747a77f2821f2b619825c7789c7ee5338da5ecb375395\r\nqdbazaar.com Connected_From c2f150dbe9a8efb72dc46416ca29acdbae6fd4a2af16b27f153eaabd4772a2a1\r\nDescription\r\nA7C804B62AE93D708478949F498342F9 and 86685EC8C3C717AA2A9702E2C9DEC379 attempt to connect to the\r\ndomain.\r\nc2f150dbe9a8efb72dc46416ca29acdbae6fd4a2af16b27f153eaabd4772a2a1\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName 86685EC8C3C717AA2A9702E2C9DEC379\r\nSize 156672 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 86685ec8c3c717aa2a9702e2c9dec379\r\nSHA1 29ddf9baad018518060814a03d424f4e08a0e914\r\nSHA256 c2f150dbe9a8efb72dc46416ca29acdbae6fd4a2af16b27f153eaabd4772a2a1\r\nSHA512 5bfee5737aaa7b5c42f49d2963ca3fdb0212eb4b298366e6e15ce7b6a9c09b3a1d4971683414318e5b7463eb9fa0a508179b72a72ceba8298\r\nssdeep 3072:/ucPnT+MMMMRwVK77YWOj885LhaEuTiAQLvkkABYn9N:/ZnTwn77YWOjbL4hfq\r\nEntropy 6.192260\r\nAntivirus\r\nAhnlab Trojan/Win64.Manuscrypt\r\nAvira TR/AD.APTLazerus.vzbiu\r\nBitDefender Trojan.GenericKD.31159551\r\nClamAV Win.Trojan.Autophyte-6582725-0\r\nESET a variant of Win64/NukeSped.BD trojan\r\nEmsisoft Trojan.GenericKD.31159551 (B)\r\nIkarus Trojan.Win32.Autophyte\r\nK7 Trojan ( 0053a60a1 )\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.F!dha\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 22 of 56\n\nNANOAV Trojan.Win64.NukeSped.fglqhp\r\nSymantec Trojan Horse\r\nTACHYON Backdoor/W64.Agent.156672\r\nTrendMicro BKDR64_.37857E4E\r\nTrendMicro House Call BKDR64_.37857E4E\r\nVirusBlokAda Trojan.Manuscrypt\r\nZillya! Trojan.GenericKD.Win32.145349\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-08-02 21:34:37-04:00\r\nImport Hash 2013af6912650171ab98cb2d8b0b1a2e\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n41a5e8385e9725d9bbf9f9b6a0734475 header 1024 3.078331\r\n7db58e09d4ea1e65d3c0b3bb94fcd1ba .text 98304 6.401910\r\nb446c87210ab967d6db88c8aa1095ccb .rdata 44032 5.142828\r\na748046679e968fa96c68aa53107f08a .data 4096 3.641240\r\na1cdf2e22fff16573b4f461759d5e02d .pdata 6144 4.913515\r\n48a18c337d9c605b138a3f2e8fa572d1 .gfids 512 1.638651\r\n106eb1a5ed9fc911defec918b5086d48 .rsrc 512 4.720823\r\n452a8928c69f9af56227179f5b5b98f0 .reloc 2048 4.794478\r\nRelationships\r\nc2f150dbe9... Connected_To pakteb.com\r\nc2f150dbe9... Connected_To nuokejs.com\r\nc2f150dbe9... Connected_To qdbazaar.com\r\nDescription\r\nThis file is a 64-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for\r\nanalysis.\r\n1678327c5f36074cf5f18d1a92c2d9fea9bfae6c245eaad01640fd75af4d6c11\r\nTags\r\ntrojan\r\nDetails\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 23 of 56\n\nName 86D3C1B354CE696E454C42D8DC6DF1B7\r\nSize 129024 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 86d3c1b354ce696e454c42d8dc6df1b7\r\nSHA1 4d17c0fb13b532ba5a680c1701026d29fb1931e7\r\nSHA256 1678327c5f36074cf5f18d1a92c2d9fea9bfae6c245eaad01640fd75af4d6c11\r\nSHA512 cdb1338674ea9407bbffe3569fbd021df4ebefe1bc8fad2415506005d2c6bd7d6f134c89aa6c0bc5a539783fd293329d3d442cf313c8d0c70c\r\nssdeep 1536:Qkj1G7eW0vV7qZx1kJMZKzO12lsSKwVDF1ZTgKTTkbv+DQeAsWq8McdsLA8+nr:QkW/0JqezblsSfx1VguFDwsLA8+n\r\nEntropy 6.568189\r\nAntivirus\r\nAhnlab Trojan/Win32.Manuscrypt\r\nBitDefender Gen:Variant.Ursu.337564\r\nClamAV Win.Trojan.Autophyte-6582725-0\r\nESET a variant of Win32/NukeSped.EN trojan\r\nEmsisoft Gen:Variant.Ursu.337564 (B)\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.F!dha\r\nSophos Troj/NukSped-A\r\nTACHYON Trojan-Spy/W32.Manuscrypt.129024\r\nTrendMicro Backdoo.C7D30B55\r\nTrendMicro House Call Backdoo.C7D30B55\r\nVirusBlokAda BScope.Trojan.Manuscrypt\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-09-02 20:34:51-04:00\r\nImport Hash 95dff862e0b00db0b05bcf957ad9e12e\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n362b9b00897b7cbef771430b593496d0 header 1024 2.958886\r\n7121ea1bf412df273b88513bd7efb39d .text 90112 6.601268\r\ncad02e58fb94dfc67ee1fae275b98902 .rdata 28160 5.375842\r\nd8727a0a5051d7418591aae3a42a3f01 .data 3072 4.460652\r\n17c535c5be4192a355ca9e8d19f10138 .gfids 512 1.766088\r\n89b7e19270b2a5563c301b84b28e423f .rsrc 512 4.714485\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 24 of 56\n\nMD5 Name Raw Size Entropy\r\ndb55d6484373493760026c3180cebf59 .reloc 5632 6.602821\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n1678327c5f... Connected_To aurumgroup.co.id\r\n1678327c5f... Connected_To 51shousheng.com\r\n1678327c5f... Connected_To new.titanik.fr\r\nDescription\r\nThis file is a 32-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for\r\nanalysis.\r\naurumgroup.co.id\r\nTags\r\ncommand-and-control\r\nURLs\r\naurumgroup.co.id/wp-includes/rest.php\r\nRelationships\r\naurumgroup.co.id Connected_From 1678327c5f36074cf5f18d1a92c2d9fea9bfae6c245eaad01640fd75af4d6c11\r\naurumgroup.co.id Connected_From c0ee19d7545f98fcd15725a3d9f0dbd0f35b2091e1c5b9cf4744f16e81a030c5\r\nDescription\r\n86D3C1B354CE696E454C42D8DC6DF1B7 and 5182E7A2037717F2F9BBF6BA298C48FB attempt to connect to the\r\ndomain.\r\n51shousheng.com\r\nTags\r\ncommand-and-control\r\nURLs\r\n51shousheng.com/include/partview.php\r\nRelationships\r\n51shousheng.com Connected_From 1678327c5f36074cf5f18d1a92c2d9fea9bfae6c245eaad01640fd75af4d6c11\r\n51shousheng.com Connected_From c0ee19d7545f98fcd15725a3d9f0dbd0f35b2091e1c5b9cf4744f16e81a030c5\r\nDescription\r\n86D3C1B354CE696E454C42D8DC6DF1B7 and 5182E7A2037717F2F9BBF6BA298C48FB attempt to connect to the\r\ndomain.\r\nnew.titanik.fr\r\nTags\r\ncommand-and-control\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 25 of 56\n\nURLs\r\nnew.titanik.fr/wp-includes/common.php\r\nRelationships\r\nnew.titanik.fr Connected_From 1678327c5f36074cf5f18d1a92c2d9fea9bfae6c245eaad01640fd75af4d6c11\r\nnew.titanik.fr Connected_From c0ee19d7545f98fcd15725a3d9f0dbd0f35b2091e1c5b9cf4744f16e81a030c5\r\nDescription\r\n86D3C1B354CE696E454C42D8DC6DF1B7 and 5182E7A2037717F2F9BBF6BA298C48FB attempt to connect to the\r\ndomain.\r\nc0ee19d7545f98fcd15725a3d9f0dbd0f35b2091e1c5b9cf4744f16e81a030c5\r\nTags\r\ntrojan\r\nDetails\r\nName 5182E7A2037717F2F9BBF6BA298C48FB\r\nSize 157696 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 5182e7a2037717f2f9bbf6ba298c48fb\r\nSHA1 47b5d2c3f741a896a26993dbbf4a5deec6f9ac53\r\nSHA256 c0ee19d7545f98fcd15725a3d9f0dbd0f35b2091e1c5b9cf4744f16e81a030c5\r\nSHA512 016a80dbd78e5614e38388b3e107cb9c9f29a971dfb90cceb8e91ce0af448359ac8ad3a898e623b142f4b7bd2638ffcd7869575d50e44c05ff\r\nssdeep 3072:HXyO7ibruDVtCuwxxy7Gwi6OnSaytibCCLUvg2/1Yn:HCO7ibruDVtCuIy7GwiBSaYSZ9x\r\nEntropy 6.194475\r\nAntivirus\r\nAhnlab Trojan/Win64.Manuscrypt\r\nBitDefender Gen:Variant.Ser.Ursu.13069\r\nClamAV Win.Trojan.Autophyte-6582725-0\r\nESET a variant of Win64/NukeSped.BD trojan\r\nEmsisoft Gen:Variant.Ser.Ursu.13069 (B)\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.F!dha\r\nSophos Troj/NukSped-A\r\nTACHYON Trojan-Spy/W64.Manuscrypt.157696\r\nTrendMicro Backdoo.7185D059\r\nTrendMicro House Call Backdoo.7185D059\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 26 of 56\n\nPE Metadata\r\nCompile Date 2018-09-02 20:35:10-04:00\r\nImport Hash 2013af6912650171ab98cb2d8b0b1a2e\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n61ae8f48806dd3b4edbdc2f093941fa0 header 1024 3.151619\r\n0d0ecb30d5fc4d1be82fbfb1449842c9 .text 99328 6.398421\r\n29946785fcc534b4bb5c9591efc97c5d .rdata 44032 5.155298\r\n97eb24ae73f627856d986c0aaf5f1bd6 .data 4096 3.639072\r\nd09091ebf6183a54ca5da171553c1484 .pdata 6144 4.949925\r\n3f74a25aca1400441dae0c4256b2d870 .gfids 512 1.622338\r\n2d9583cf3eaec364bc8e0e0ad5dadf74 .rsrc 512 4.720823\r\n921b6d44e23652a86f3462e3eb523499 .reloc 2048 4.794591\r\nRelationships\r\nc0ee19d754... Connected_To aurumgroup.co.id\r\nc0ee19d754... Connected_To 51shousheng.com\r\nc0ee19d754... Connected_To new.titanik.fr\r\nDescription\r\nThis file is a 64-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for\r\nanalysis.\r\n9e4bd9676bb3460be68ba4559a824940a393bde7613850eda9196259e453b9f3\r\nTags\r\ntrojan\r\nDetails\r\nName 668D5B5761755C9D061DA74CB21A8B75\r\nSize 2212864 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 668d5b5761755c9d061da74cb21a8b75\r\nSHA1 49da356fd99d4b7c8cb4e77f89877ee41f8948ca\r\nSHA256 9e4bd9676bb3460be68ba4559a824940a393bde7613850eda9196259e453b9f3\r\nSHA512 8ec530a1a3fba89589f6041fc5466befa2247f3829ae46bff91f341a0957abb2515168e1ac6eaf02d04fc8bcd37a237c9071b2fa295a9963e6b\r\nssdeep 49152:h6nuk9DG/lEYtBgKPd3S7k1X2NDxDNWnnuTniH6:h6ukYEYtJV3S7aEDrWnnuTu\r\nEntropy 7.958398\r\nAntivirus\r\nAhnlab Trojan/Win64.Agent\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 27 of 56\n\nAntiy Trojan/Win32.Manuscrypt\r\nAvira TR/Agent.qhgqy\r\nBitDefender Trojan.GenericKD.31269235\r\nESET Win64/NukeSped.BT trojan\r\nEmsisoft Trojan.GenericKD.31269235 (B)\r\nIkarus Trojan.Win64.Themida\r\nK7 Trojan ( 0054ac401 )\r\nMcAfee Generic Trojan.gw\r\nNANOAV Trojan.Win64.Manuscrypt.fouxwk\r\nQuick Heal Trojan.Manuscrypt\r\nSymantec Trojan Horse\r\nTACHYON Trojan/W64.Manuscrypt.2212864\r\nTrendMicro Trojan.20BD6557\r\nTrendMicro House Call Trojan.20BD6557\r\nVirusBlokAda Trojan.Manuscrypt\r\nZillya! Trojan.Manuscrypt.Win32.19\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-09-16 20:16:44-04:00\r\nImport Hash baa93d47220682c04d92f7797d9224ce\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\ne7fd8dca1ed04d4a10fb802bf3c8d5ef header 4096 0.987963\r\nde0782befb39ad89b25486af66e57da0   80896 7.892611\r\n7b576835c006db4e4bd934eedf39c4ec .rsrc 512 4.525348\r\n52add692ea0be6f14721c05b9a5dab58 .idata 512 1.297004\r\n936850d3b5e99c2a119b2a334196f7ac   512 0.227252\r\n994b9b89968924be47b7897c566017cb dwukfuez 2119680 7.961143\r\n63fc048012cf91b3840d92a6b6bbe245 fgwvbapa 512 4.416947\r\n4720f9e5ba755a82ff72caea5d49817e .pdataI 6144 4.962182\r\nRelationships\r\n9e4bd9676b... Connected_To duratransgroup.com\r\n9e4bd9676b... Connected_To eygingenieros.com\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 28 of 56\n\n9e4bd9676b... Connected_To eventum.cwsdev3.biz\r\nDescription\r\nThis file is a 64-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for\r\nanalysis.\r\nduratransgroup.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nduratransgroup.com/engl/lang.php\r\nRelationships\r\nduratransgroup.com Connected_From 9e4bd9676bb3460be68ba4559a824940a393bde7613850eda9196259e453b9f3\r\nDescription\r\n668D5B5761755C9D061DA74CB21A8B75 attempts to connect to the domain.\r\neygingenieros.com\r\nTags\r\ncommand-and-control\r\nURLs\r\neygingenieros.com/wp-includes/common.php\r\nRelationships\r\neygingenieros.com Connected_From 9e4bd9676bb3460be68ba4559a824940a393bde7613850eda9196259e453b9f3\r\nDescription\r\n668D5B5761755C9D061DA74CB21A8B75 attempts to connect to the domain.\r\neventum.cwsdev3.biz\r\nURLs\r\neventum.cwsdev3.biz/wp-includes/common.php\r\nRelationships\r\neventum.cwsdev3.biz Connected_From 9e4bd9676bb3460be68ba4559a824940a393bde7613850eda9196259e453b9f3\r\nDescription\r\n668D5B5761755C9D061DA74CB21A8B75 attempts to connect to the domain.\r\neee38c632c62ca95b5c66f8d39a18e23b9175845560af84b6a2f69b7f9b6ec1c\r\nTags\r\ntrojan\r\nDetails\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 29 of 56\n\nName 35E38D023B253C0CD9BD3E16AFC362A7\r\nSize 129024 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 35e38d023b253c0cd9bd3e16afc362a7\r\nSHA1 c850e733f4e0d4abb34969678f2a1abe3b2f4c24\r\nSHA256 eee38c632c62ca95b5c66f8d39a18e23b9175845560af84b6a2f69b7f9b6ec1c\r\nSHA512 c605f9f895773b8a9a50581b490cfbf2434f687ec4faae0ce37082fb8fb5efa3e76f39fbc891bd38460b6ee56c240c09eada8b58cdaa9368c18d\r\nssdeep 1536:XbWB4W7YWyCNWf65xAkNbf+QFc9lvmKw77vliLlTrK+S31DQeAsWq8McdsX4A8PR:XbWt5yzf6kQolvmx7vliLh+DwsoA\r\nEntropy 6.571364\r\nAntivirus\r\nAhnlab Trojan/Win32.Manuscrypt\r\nAntiy Trojan/Win32.Manuscrypt\r\nAvira TR/AD.APTLazerus.qmssk\r\nBitDefender Trojan.GenericKD.40712007\r\nCyren W32/Trojan.BIAI-3752\r\nESET a variant of Win32/NukeSped.EN trojan\r\nEmsisoft Trojan.GenericKD.40712007 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 00539ca21 )\r\nMcAfee Trojan-FQUB!35E38D023B25\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.F!dha\r\nNANOAV Trojan.Win32.Manuscrypt.fkqspx\r\nNetGate Trojan.Win32.Malware\r\nSophos Troj/NukSped-A\r\nSymantec Trojan.Gen.2\r\nTACHYON Trojan/W32.Manuscrypt.129024\r\nTrendMicro BKDR_NU.A41D576C\r\nTrendMicro House Call BKDR_NU.A41D576C\r\nVirusBlokAda BScope.Trojan.Manuscrypt\r\nZillya! Trojan.Manuscrypt.Win32.22\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-10-19 03:23:31-04:00\r\nImport Hash 95dff862e0b00db0b05bcf957ad9e12e\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 30 of 56\n\nPE Sections\r\nMD5 Name Raw Size Entropy\r\na721b29ba240341403160375cd091c24 header 1024 2.966234\r\n70648fd64041effbf19466b97acb6341 .text 90112 6.601122\r\neb845e76ca0aac042cc722b086eadc6d .rdata 28160 5.385942\r\nd8727a0a5051d7418591aae3a42a3f01 .data 3072 4.460652\r\n52ad7e79f4212b855563d2718cca7bbb .gfids 512 1.768774\r\n89b7e19270b2a5563c301b84b28e423f .rsrc 512 4.714485\r\n54cbc7874c922d6f07d0ebae7a641ffe .reloc 5632 6.607571\r\nPackers/Compilers/Cryptors\r\nRelationships\r\neee38c632c... Connected_To theinspectionconsultant.com\r\neee38c632c... Connected_To danagloverinteriors.com\r\neee38c632c... Connected_To as-brant.ru\r\nDescription\r\nThis file is a 32-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for\r\nanalysis.\r\ntheinspectionconsultant.com\r\nTags\r\ncommand-and-control\r\nURLs\r\ntheinspectionconsultant.com/wp-content/plugins/akismet/index1.php\r\nRelationships\r\ntheinspectionconsultant.com Connected_From f6e1a146543d2903146698da5698b2a214201720c0be756c6e8d2a2f27dcfaff\r\ntheinspectionconsultant.com Connected_From eee38c632c62ca95b5c66f8d39a18e23b9175845560af84b6a2f69b7f9b6ec1c\r\nDescription\r\n835E38D023B253C0CD9BD3E16AFC362A7 and 72FE869AA394EF0A62BB8324857770DD attempt to connect to the\r\ndomain.\r\ndanagloverinteriors.com\r\nTags\r\ncommand-and-control\r\nURLs\r\ndanagloverinteriors.com/wp-content/plugins/jetpack/common.php\r\nRelationships\r\ndanagloverinteriors.com Connected_From f6e1a146543d2903146698da5698b2a214201720c0be756c6e8d2a2f27dcfaff\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 31 of 56\n\ndanagloverinteriors.com Connected_From eee38c632c62ca95b5c66f8d39a18e23b9175845560af84b6a2f69b7f9b6ec1c\r\nDescription\r\n835E38D023B253C0CD9BD3E16AFC362A7 and 72FE869AA394EF0A62BB8324857770DD attempt to connect to the\r\ndomain.\r\nas-brant.ru\r\nTags\r\ncommand-and-control\r\nURLs\r\nas-brant.ru/wp-content/themes/shapely/common.php\r\nRelationships\r\nas-brant.ru Connected_From f6e1a146543d2903146698da5698b2a214201720c0be756c6e8d2a2f27dcfaff\r\nas-brant.ru Connected_From eee38c632c62ca95b5c66f8d39a18e23b9175845560af84b6a2f69b7f9b6ec1c\r\nDescription\r\n835E38D023B253C0CD9BD3E16AFC362A7 and 72FE869AA394EF0A62BB8324857770DD attempt to connect to the\r\ndomain.\r\nf6e1a146543d2903146698da5698b2a214201720c0be756c6e8d2a2f27dcfaff\r\nTags\r\ntrojan\r\nDetails\r\nName 72FE869AA394EF0A62BB8324857770DD\r\nSize 157696 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 72fe869aa394ef0a62bb8324857770dd\r\nSHA1 de03860d8a43358554ee4fab22c3fb25cae8992b\r\nSHA256 f6e1a146543d2903146698da5698b2a214201720c0be756c6e8d2a2f27dcfaff\r\nSHA512 54c86cef7f0b2b795d1e04323432acfeb78c751bcfdc1b693f2048b8f6af7fc06a6ef64d481764ec0c5261d5c4b020f079db6769433c705bc4\r\nssdeep 3072:gXFP7wuoSeJOwxFLo7qJ/hCIEftBgbRFCLUv3w7uYngn:g1P7wuoSeJOAs7qJ5cfzkKq0G\r\nEntropy 6.200286\r\nAntivirus\r\nAhnlab Trojan/Win64.Manuscrypt\r\nAntiy Trojan/Win64.Manuscrypt\r\nAvira TR/AD.APTLazerus.heseo\r\nBitDefender Trojan.GenericKD.31313805\r\nESET a variant of Win64/NukeSped.BD trojan\r\nEmsisoft Trojan.GenericKD.31313805 (B)\r\nIkarus Trojan.Win64.Nukesped\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 32 of 56\n\nK7 Trojan ( 0053fa3f1 )\r\nMcAfee Trojan-FQUB!72FE869AA394\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.F!dha\r\nNANOAV Trojan.Win64.NukeSped.fjscrm\r\nSophos Troj/NukSped-A\r\nSymantec Trojan Horse\r\nTrendMicro BKDR64_.BB415F80\r\nTrendMicro House Call BKDR64_.BB415F80\r\nVirusBlokAda Trojan.Win64.Manuscrypt\r\nZillya! Trojan.Manuscrypt.Win64.1\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-10-19 03:23:52-04:00\r\nImport Hash 2013af6912650171ab98cb2d8b0b1a2e\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n1eb1d7ade0e4b678e553734e2cd3e6f3 header 1024 3.155059\r\nab0669c74b116223c3de6213940a0268 .text 99328 6.401690\r\n911b91de22fe394f42948a75e7e87817 .rdata 44032 5.166334\r\n97eb24ae73f627856d986c0aaf5f1bd6 .data 4096 3.639072\r\nf1f39a167b5525fd01fdb683d0bf2ca8 .pdata 6144 4.934767\r\nd3a397fe89f106c07d5fa28e0bbf7edb .gfids 512 1.653715\r\n2d9583cf3eaec364bc8e0e0ad5dadf74 .rsrc 512 4.720823\r\n0814e49777e4a22532b43b74a44c2c72 .reloc 2048 4.794082\r\nRelationships\r\nf6e1a14654... Connected_To theinspectionconsultant.com\r\nf6e1a14654... Connected_To danagloverinteriors.com\r\nf6e1a14654... Connected_To as-brant.ru\r\nDescription\r\nThis file is a 64-bit DLL and has been identified as Variant B. Refer to 912F87392A889070DBB1097A82CCD93F for\r\nanalysis.\r\n37bb27f4eb40b8947e184afddba019001c12f97588e7f596ab6bc07f7c152602\r\nTags\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 33 of 56\n\nbackdoorpuptrojan\r\nDetails\r\nName A8B6EC51ED88C0329FD3329CB615BBC9\r\nSize 95744 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 a8b6ec51ed88c0329fd3329cb615bbc9\r\nSHA1 f744f5f97ace1a4862e764971449c28c4b880e8f\r\nSHA256 37bb27f4eb40b8947e184afddba019001c12f97588e7f596ab6bc07f7c152602\r\nSHA512 26e1558557e3b44d18a1d97a38cc9881bc025d4979e914d40ef42248d7c5b3d09cfa17ab3893d91d65c29ba9d94047726f42be91bcd424f5\r\nssdeep 1536:fIbpjZh3Qj6T4T0PY0qBbxp35d5Nh3UCzsW8cdvZ1Q6B:fM3Qe4yY0qtf/hk+vZ1Q6B\r\nEntropy 6.373893\r\nAntivirus\r\nAhnlab Backdoor/Win32.Agent\r\nAntiy Trojan/Win32.Manuscrypt\r\nAvira TR/Agent.ktlxw\r\nBitDefender Trojan.GenericKD.32074646\r\nClamAV Win.Trojan.GhostPuppet-7404648-0\r\nESET a variant of Win32/Agent.AAWV trojan\r\nEmsisoft Trojan.GenericKD.32074646 (B)\r\nIkarus Trojan.Agent\r\nNANOAV Trojan.Win32.Manuscrypt.fscabu\r\nQuick Heal Trojan.Manuscrypt\r\nSymantec Trojan Horse\r\nTACHYON Trojan-Spy/W32.Agent.95744.J\r\nVirusBlokAda Trojan.Manuscrypt\r\nZillya! Trojan.Agent.Win32.1161280\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-06-18 08:03:21-04:00\r\nImport Hash 5446c3bf7cbf3287d9a8bffcc3ac95a9\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nf415a11b78cf73e9c20856ebf542c7c5 header 1024 2.732806\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 34 of 56\n\nMD5 Name Raw Size Entropy\r\n32765031f78d5821a7828a3a03fb509a .text 61440 6.572955\r\n946000c535906e58ffe121d5cff7c6ba .rdata 25600 4.984772\r\n25f93d3b0c87967785c3858f1b44cb02 .data 2560 2.163019\r\n065463fcb19d087772450d47229f013f .rsrc 512 4.717679\r\nf860381eb55d57e79cd6cf5f8972763a .reloc 4608 6.518570\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n37bb27f4eb... Connected_To rxrenew.us\r\n37bb27f4eb... Connected_To creativefishstudio.com\r\n37bb27f4eb... Connected_To sensationalsecrets.com\r\nDescription\r\nThis file is a 32-bit DLL and has been identified as Variant C. Variant C can be distinguished from previous versions through\r\nthe absence of the beacon string \"*dJU!*JE\u0026!M@UNQ@\" and the use of a generated cookie to pass certain information\r\ninstead of multi-part HTTP POST requests. The cookie is designed to appear like a standard Google Analytics cookie. The\r\nformat used by the malware is noted below:\r\n--Begin cookie format--\r\nCookie: _ga=GA1.%d.%02d%d%d%02d.%d%05d%04d; gid=GA1.%d.%02d%d%03d.%d%05d%04d Cookie: _ga=GA1.\r\n\u003c1\u003e.\u003c2\u003e\u003c3\u003e\u003c4\u003e\u003c5\u003e.\u003c6\u003e\u003c7\u003e\u003c8\u003e; gid=GA1.\u003c1\u003e.\u003c9\u003e\u003c10\u003e\u003c11\u003e.\u003c6\u003e\u003c7\u003e\u003c8\u003e\r\nwhere\r\n1 = rand % 10\r\n2 = rand % 100\r\n3 = 0 or 1 if implant is ready to receive its first command\r\n4 = sessionID\r\n5 = rand % 100\r\n6 = rand % 10\r\n7 = rand % 100000\r\n8 = rand % 10000\r\n9 = rand % 100\r\n10 = 1879 or 8678 if handshake packet\r\n11 = rand % 1000\r\n--End cookie format--\r\nVariant C will randomly choose from one of three hard-coded Accept-Language headers:\r\n--Begin Accept-Language headers--\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Language: de-CH\r\nAccept-Language: az-Arab\r\n--End Accept-Language headers--\r\nVariant C datagrams are sent in the HTTP POST body and encrypted in the same manner as Variant B with the same RC4\r\nkey. Like in Variant B, the RC4 key stream will reset after the SystemInfo command. Variant C performs API loading at\r\nruntime but does not obfuscate the strings.\r\nScreenshots\r\nFigure 3 - Variant C contains the commands displayed in the table.\r\nrxrenew.us\r\nTags\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 35 of 56\n\ncommand-and-control\r\nURLs\r\nrxrenew.us/wp-content/themes/hestias/index.php\r\nRelationships\r\nrxrenew.us Connected_From e6fc788b5ff7436da4450191a003966a68e2a1913c83f1d3aec78c65f3ba85ca\r\nrxrenew.us Connected_From 37bb27f4eb40b8947e184afddba019001c12f97588e7f596ab6bc07f7c152602\r\nDescription\r\nA8B6EC51ED88C0329FD3329CB615BBC9 and 117FA0B8B8B965680C7B630C6E2BF01D attempt to connect to the\r\ndomain.\r\ncreativefishstudio.com\r\nTags\r\ncommand-and-control\r\nURLs\r\ncreativefishstudio.com/newbiesspeak/left.php\r\nRelationships\r\ncreativefishstudio.com Connected_From e6fc788b5ff7436da4450191a003966a68e2a1913c83f1d3aec78c65f3ba85ca\r\ncreativefishstudio.com Connected_From 37bb27f4eb40b8947e184afddba019001c12f97588e7f596ab6bc07f7c152602\r\nDescription\r\nA8B6EC51ED88C0329FD3329CB615BBC9 and 117FA0B8B8B965680C7B630C6E2BF01D attempt to connect to the\r\ndomain.\r\nsensationalsecrets.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nsensationalsecrets.com/js/left.php\r\nRelationships\r\nsensationalsecrets.com Connected_From e6fc788b5ff7436da4450191a003966a68e2a1913c83f1d3aec78c65f3ba85ca\r\nsensationalsecrets.com Connected_From 37bb27f4eb40b8947e184afddba019001c12f97588e7f596ab6bc07f7c152602\r\nDescription\r\nA8B6EC51ED88C0329FD3329CB615BBC9 and 117FA0B8B8B965680C7B630C6E2BF01D attempt to connect to the\r\ndomain.\r\ne6fc788b5ff7436da4450191a003966a68e2a1913c83f1d3aec78c65f3ba85ca\r\nTags\r\npuptrojan\r\nDetails\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 36 of 56\n\nName 117FA0B8B8B965680C7B630C6E2BF01D\r\nSize 116736 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 117fa0b8b8b965680c7b630c6e2bf01d\r\nSHA1 7202fea74865e085104f839574cd150613fbcf99\r\nSHA256 e6fc788b5ff7436da4450191a003966a68e2a1913c83f1d3aec78c65f3ba85ca\r\nSHA512 454703dd49b4b8feb36b71d7a6d18f7811c221675e272b6fe0b3d9f60a7c5c61bb6b0d8f9d84eb13cf68685dd9ef482f39b6026dda8867d90\r\nssdeep 3072:iN9F81gu+0WsPxRr0T7V4P2F6U6V641B820D:iN81/+0JpJ0TJrq600D\r\nEntropy 6.008099\r\nAntivirus\r\nAhnlab Trojan/Win64.Manuscrypt\r\nAntiy Trojan/Win32.Manuscrypt\r\nBitDefender Trojan.GenericKD.32076195\r\nClamAV Win.Trojan.GhostPuppet-7404648-0\r\nESET a variant of Win64/NukeSped.CA trojan\r\nEmsisoft Trojan.GenericKD.32076195 (B)\r\nIkarus Trojan.Win64.Nukesped\r\nNANOAV Trojan.Win64.Manuscrypt.fslzmk\r\nNetGate Trojan.Win32.Malware\r\nQuick Heal Trojan.Manuscrypt\r\nSymantec Trojan Horse\r\nTACHYON Trojan-Spy/W64.Agent.116736\r\nTrendMicro BKDR_NU.F8DCFF65\r\nTrendMicro House Call BKDR_NU.F8DCFF65\r\nVirusBlokAda Trojan.Manuscrypt\r\nZillya! Trojan.NukeSped.Win64.35\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-06-18 08:03:26-04:00\r\nImport Hash 912d2b0681d67169c9ee0b4cead2c366\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n638c9a9cdf6ecfc555c8c07f4e8c7ecf header 1024 2.903657\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 37 of 56\n\nMD5 Name Raw Size Entropy\r\n90f4f418377655079d9186062658dd5d .text 65536 6.364048\r\nd57a642f43ef623527e4bc0870475b20 .rdata 40448 4.798275\r\n025170c7aa8e93ab068076ec3d9e871b .data 2560 2.321313\r\n082001fb6c468d8828e1019e179b5749 .pdata 4608 4.785751\r\n50c26f8b7696190a236f2e12c71402ce .rsrc 512 4.717679\r\n611f9b1269513b8c4810c722c5278660 .reloc 2048 4.851328\r\nRelationships\r\ne6fc788b5f... Connected_To rxrenew.us\r\ne6fc788b5f... Connected_To creativefishstudio.com\r\ne6fc788b5f... Connected_To sensationalsecrets.com\r\nDescription\r\nThis file is a 64-bit DLL and has been identified as Variant C. Refer to A8B6EC51ED88C0329FD3329CB615BBC9 for\r\nanalysis.\r\n284bc471647f951c79e3e333b2b19aa37f84cc39b55441a82e2a5f7319131fac\r\nTags\r\npuptrojan\r\nDetails\r\nName DB590EA77A92AE6435E2EC954D065ED4\r\nSize 118272 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 db590ea77a92ae6435e2ec954d065ed4\r\nSHA1 ef0c0ef95b1542184a6a1f4d1f4ece583046ba0a\r\nSHA256 284bc471647f951c79e3e333b2b19aa37f84cc39b55441a82e2a5f7319131fac\r\nSHA512 07d1da9735f468fd389bcf34052f94977ffc64028b54ae4a7f077aab8488bc5e82cde82671da84c0e649d1ffb3fe05491b7bfde967581799fc4\r\nssdeep 1536:bUtygCBUwWkWtptf4W9wuJ9r82lVOwEnSMw/XjGCpsWBMdc9dlMLTQjP8PoRbB:oty7WkYwW9L98gVVZ/zGMWUUM8\r\nEntropy 6.003427\r\nAntivirus\r\nAhnlab Trojan/Win64.Manuscrypt\r\nAvira TR/NukeSped.wnyqo\r\nBitDefender Gen:Variant.Cerbu.38929\r\nClamAV Win.Trojan.GhostPuppet-7404648-0\r\nCyren W64/Trojan.MDBT-6130\r\nESET a variant of Win64/NukeSped.CA trojan\r\nEmsisoft Gen:Variant.Cerbu.38929 (B)\r\nIkarus Trojan.Win64.Nukesped\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 38 of 56\n\nMcAfee RDN/Generic.fhb\r\nNANOAV Trojan.Win64.NukeSped.ftxzll\r\nSymantec Trojan Horse\r\nVirusBlokAda Trojan.Agent\r\nZillya! Trojan.Agent.Win32.1117465\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-07-15 09:20:00-04:00\r\nImport Hash 0760d8e97dd31634b3dd017abf4774a0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n9514b568295f93b907811e056fb57c35 header 1024 2.987943\r\nc82aed4c6f8d5ed8460b51e35915a90a .text 66560 6.363581\r\na8c513f71aaafa5199def8a965ad5e51 .rdata 40448 4.819785\r\nfe894e926ee83c0a9904cd411cdef116 .data 2560 2.327005\r\naacfa1b64b7343d8d12dddd57154285d .pdata 4608 4.791352\r\ned53cfac37dd783aa39a61f036e4f4e9 .rsrc 1024 3.792752\r\n06a0fac8b9ff5aff98362773e499a0f8 .reloc 2048 4.845065\r\nRelationships\r\n284bc47164... Connected_To rhythm86.com\r\n284bc47164... Connected_To cabba-cacao.com\r\n284bc47164... Connected_To 3x-tv.com\r\nDescription\r\nThis file is a 64-bit DLL and has been identified as Variant C. Refer to A8B6EC51ED88C0329FD3329CB615BBC9 for\r\nanalysis.\r\nrhythm86.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nrhythm86.com/wp-content/themes/twentysixteen/about.php\r\nRelationships\r\nrhythm86.com Connected_From 284bc471647f951c79e3e333b2b19aa37f84cc39b55441a82e2a5f7319131fac\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 39 of 56\n\nDescription\r\nDB590EA77A92AE6435E2EC954D065ED4 attempts to connect to the domain.\r\ncabba-cacao.com\r\nTags\r\ncommand-and-control\r\nURLs\r\ncabba-cacao.com/wp-content/themes/integral/about.php\r\nRelationships\r\ncabba-cacao.com Connected_From 284bc471647f951c79e3e333b2b19aa37f84cc39b55441a82e2a5f7319131fac\r\nDescription\r\nDB590EA77A92AE6435E2EC954D065ED4 attempts to connect to the domain.\r\n3x-tv.com\r\nTags\r\ncommand-and-control\r\nURLs\r\n3x-tv.com/plugins/editors/about.php\r\nRelationships\r\n3x-tv.com Connected_From 284bc471647f951c79e3e333b2b19aa37f84cc39b55441a82e2a5f7319131fac\r\nDescription\r\nDB590EA77A92AE6435E2EC954D065ED4 attempts to connect to the domain.\r\na1cdb784100906d0ac895297c5a0959ab21a9fb39c687baf176324ee84095472\r\nTags\r\nbackdoorpuptrojan\r\nDetails\r\nName 0856655351ACFFA1EE459EEEAF164756\r\nSize 119808 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 0856655351acffa1ee459eeeaf164756\r\nSHA1 fe0f8a37887c8f8fb5eb3e8252a8df395b3e66e7\r\nSHA256 a1cdb784100906d0ac895297c5a0959ab21a9fb39c687baf176324ee84095472\r\nSHA512 1dec04eef52a9872de02fa6fc1afcc9ccdc0d756d1b2de35ebda83985aefe7111b21a1e2be45992f3a35e5f70528947f91f50d098571206c180\r\nssdeep 1536:iZBO9DuBAnQ2Vv4+BjVHxcTtBEIxyvO1URh+EhmGCpsWBMdc9dlM4bzd2U8EfwVB:uBOZuBUQwPjV+TcIUvXh+NGMW\r\nEntropy 5.978562\r\nAntivirus\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 40 of 56\n\nAhnlab Trojan/Win64.Manuscrypt\r\nAntiy Trojan[Backdoor]/Win32.Lazarus\r\nAvira TR/NukeSped.okrph\r\nBitDefender Gen:Variant.Cerbu.38929\r\nClamAV Win.Trojan.GhostPuppet-7404648-0\r\nCyren W64/Trojan.PWEO-6087\r\nESET a variant of Win64/NukeSped.CA trojan\r\nEmsisoft Gen:Variant.Cerbu.38929 (B)\r\nIkarus Trojan.Win64.Nukesped\r\nNANOAV Trojan.Win64.Lazarus.ftxgov\r\nQuick Heal Backdoor.Lazarus\r\nSymantec Trojan.Gen.MBT\r\nTrendMicro BKDR64_.DFFFEE3F\r\nTrendMicro House Call BKDR64_.DFFFEE3F\r\nVir.IT eXplorer Backdoor.Win32.NukeSped.BH\r\nVirusBlokAda Backdoor.Lazarus\r\nZillya! Trojan.NukeSped.Win64.41\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-07-23 02:17:02-04:00\r\nImport Hash 7712511643053a6d00be14bd064ba3b3\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nf5ce198af5d5f13f685bf5e7b4321e00 header 1024 2.998958\r\n280ac4987654f06c9b59b6e73d406d0a .text 66560 6.372604\r\n20923d9916cc0109900b80bcb6f57c21 .rdata 40448 4.826823\r\nfe894e926ee83c0a9904cd411cdef116 .data 2560 2.327005\r\n5268ff6f51de87cfe39fd45f886ed02f .pdata 4608 4.804507\r\n6ca9b71152093220d3c5306c9ff4512d .rsrc 2560 2.923477\r\naec7d049f3081bab81509c1da7ce4f5e .reloc 2048 4.845016\r\nRelationships\r\na1cdb78410... Connected_To castorbyg.dk\r\na1cdb78410... Connected_To matthias-dlugi.de\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 41 of 56\n\na1cdb78410... Connected_To locphuland.com\r\nDescription\r\nThis file is a 64-bit DLL and has been identified as Variant C. Refer to A8B6EC51ED88C0329FD3329CB615BBC9 for\r\nanalysis.\r\ncastorbyg.dk\r\nTags\r\ncommand-and-control\r\nURLs\r\ncastorbyg.dk/wp-content/themes/302.php\r\nRelationships\r\ncastorbyg.dk Connected_From a1cdb784100906d0ac895297c5a0959ab21a9fb39c687baf176324ee84095472\r\nDescription\r\n0856655351ACFFA1EE459EEEAF164756 attempts to connect to the domain.\r\nmatthias-dlugi.de\r\nTags\r\ncommand-and-control\r\nURLs\r\nmatthias-dlugi.de/wp-content/themes/twentyfifteen/helper.php\r\nRelationships\r\nmatthias-dlugi.de Connected_From a1cdb784100906d0ac895297c5a0959ab21a9fb39c687baf176324ee84095472\r\nDescription\r\n0856655351ACFFA1EE459EEEAF164756 attempts to connect to the domain.\r\nlocphuland.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nlocphuland.com/wp-content/themes/hikma/total.php\r\nRelationships\r\nlocphuland.com Connected_From a1cdb784100906d0ac895297c5a0959ab21a9fb39c687baf176324ee84095472\r\nDescription\r\n0856655351ACFFA1EE459EEEAF164756 attempts to connect to the domain.\r\nb4bf6322c67a23553d5a9af6fcd9510eb613ffac963a21e32a9ced83132a09ba\r\nTags\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 42 of 56\n\ndownloadertrojan\r\nDetails\r\nName 34C2AC6DAA44116713F882694B6B41E8\r\nSize 413696 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 34c2ac6daa44116713f882694b6b41e8\r\nSHA1 323258353c244b373c758906d88a2bf9663abf8d\r\nSHA256 b4bf6322c67a23553d5a9af6fcd9510eb613ffac963a21e32a9ced83132a09ba\r\nSHA512 5d4368d9de8c15b8b2945ad0aebf1bdc9c5e14dfc2927fb43d254f129675285278116ac9f32e0e3b11aeac10b488fa78c9c57ef1634a911ab7\r\nssdeep 3072:rNXQoaFxes6EiH6Zq2dIvkapOztAzfb7zgntbeGfCDQomoRoYohoYoloodocoomn:rNXQoaFA6TdIvbxHFGfCDtoLb779qPb\r\nEntropy 6.080481\r\nAntivirus\r\nAhnlab Win-Trojan/Akdoor.Gen\r\nAntiy Trojan/Win32.AGeneric\r\nAvira TR/Agent.413696.177\r\nBitDefender Trojan.GenericKD.6306955\r\nESET a variant of Win32/NukeSped.AS trojan\r\nEmsisoft Trojan.GenericKD.6306955 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nMicrosoft Security Essentials Trojan:Win32/FoggyBrass.A!dha\r\nNANOAV Trojan.Win32.Agent.dyiqsz\r\nSymantec Infostealer.Limitail\r\nTACHYON Trojan.GenericKD.2848758\r\nTrendMicro TROJ_FR.B20F0867\r\nTrendMicro House Call TROJ_FR.B20F0867\r\nVirusBlokAda BScope.Trojan.Downloader\r\nZillya! Trojan.NukeSped.Win32.211\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2015-10-26 02:49:15-04:00\r\nImport Hash 286a6d2c70e3abce9178b4dde553be1e\r\nPE Sections\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 43 of 56\n\nMD5 Name Raw Size Entropy\r\nf99d1ddfaa147735453ba03902858bdd header 4096 0.707250\r\ne43e40d71706646e57eaa4bab011f1fe .text 90112 6.601261\r\n6d16ccd8c4bf43898ce90a54570ee55f .rdata 8192 4.923082\r\n6b290555b2ac46d8971af1ecd979ebd2 .data 20480 2.478666\r\n02a1e02ca134ced49ced1be22c562e26 .rsrc 290816 5.824422\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nDescription\r\nThis file is a 32-bit Windows executable and has been identified as Variant D. Variant D generates an HTTP POST request\r\nvery similar to that of Variant A. The only difference is the beacon string, this variant uses \"t34kjfdla45l\". Datagrams are\r\nencrypted with a combination of RC4 and differential XOR. The RC4 key used is\r\n\"0x0D06092A864886F70D01010105000382\".\r\nScreenshots\r\nFigure 4 - Variant D contains the commands displayed in the table.\r\n134b082b418129ffa390fbee1568bd9510c54bfdd0e6b1f36bc7b8f867e56283\r\nDetails\r\nName 633BD738AE63B6CE9C2A48CBDDD15406\r\nSize 110592 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 633bd738ae63b6ce9c2a48cbddd15406\r\nSHA1 9807eadca9016f843ee35426d06bf67860d9cc39\r\nSHA256 134b082b418129ffa390fbee1568bd9510c54bfdd0e6b1f36bc7b8f867e56283\r\nSHA512 681c659813ab9e7dccfe4b3f86dfcc69dc63976a78ef93bff745543501c8cdfac988e7cd4f07a1a00f7432be12203b4f77f716f62b21616ffd1c\r\nssdeep 3072:xZRo0uR/IjCCvWyBra4YUzCbBAHFbEQP:xZm+GCW2m4YUzCbOv\r\nEntropy 6.483560\r\nAntivirus\r\nSymantec Heur.AdvML.B\r\nYARA Rules\r\nrule CISA_10135536_06 : HiddenCobra rat\r\n{\r\n   meta:\r\n       Author = \"CISA Code \u0026 Media Analysis\"\r\n       Incident = \"10135536\"\r\n       Date = \"2018-05-04\"\r\n       Actor = \"HiddenCobra\"\r\n       Category = \"Trojan RAT\"\r\n       Family = \"BLINDINGCAN\"\r\n       Description = \"Detects Trojan RAT\"\r\n       MD5_1 = \"f9e6c35dbb62101498ec755152a8a67b\"\r\n       SHA256_1 = \"1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954\"\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 44 of 56\n\nMD5_2 = \"d742ba8cf5b24affdf77bc6869da0dc5\"\r\n       SHA256_2 = \"7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799\"\r\n       MD5_3 = \"aefcd8e98a231bccbc9b2c6d578fc8f3\"\r\n       SHA256_3 = \"96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a\"\r\n       MD5_4 = \"3a6b48871abbf2a1ce4c89b08bc0b7d8\"\r\n       SHA256_4 = \"f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3\"\r\n   strings:\r\n       $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }\r\n       $s1 = { 50 4D 53 2A 2E 74 6D 70 }\r\n       $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }\r\n   condition:\r\n       any of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-02-05 01:51:48-05:00\r\nImport Hash e323d4ef56b270402fb9e6c461542ad1\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n1879db2bfe51d8e1aeef41777c2c97e3 header 1024 2.453253\r\naf4b3b39e5faf6f61340622604f97a0e .text 81920 6.635901\r\nddd311c7dca06e585757f426cb9178fc .rdata 14848 5.124397\r\n086be14d819327c4cb2eecb13da9bef4 .data 4608 3.602410\r\n142b335625420f8ae2ec8fc51de0b6b2 .rsrc 512 5.112624\r\nec32cc24421e55461a5ad48fc96ff984 .reloc 7680 4.861507\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ DLL *sign by CodeRipper\r\nDescription\r\nThis file is a 64-bit DLL and has been identified as Variant E. Variant E forgoes the multi-part HTTP POST request format\r\nof Variant D and instead uses a single HTTP POST body with four parameters of Base64 encoded data as displayed below:\r\n--Begin HTTP POST format--\r\nPOST /\u003curi\u003e HTTP/1.1\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: */*\r\nUser-Agent: \u003cobtained from ObtainUserAgentString otherwise: Mozilla/5.0 (Windows NT 6.1; WOW64)\r\nChrome/28.0.1500.95 Safari/537.36\u003e\r\nHost: \u003cdomain\u003e\r\nContent-Length: \u003clength\u003e\r\nid=\u003ckey\u003e\u003cparamList\u003e\u0026\u003crandom_1\u003e=\u003csessionID\u003e\u0026\u003crandom_2\u003e=\u003cfixedString\u003e\u0026\u003crandom_3\u003e=\u003cdatagram\u003e\r\n--End HTTP POST format--\r\nThe first parameter, 'id', will consist of two separate base64 encoded parts. The first part consists of nine randomly generated\r\nlower case characters to be used as the RC4 key for the first three parameters. The second part of the 'id' parameter is a colon\r\ndelimited list of the other three parameter names encrypted with RC4. Those three parameters are randomly selected from a\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 45 of 56\n\nlist of 51 strings. The second parameter data is the session id. The third parameter data is a fixed string in the implant:\r\n\"T1B7D95256A2001E\". When encrypting data from the first three parameters, the encryption starts \"0xC00 bytes\" into the\r\nRC4 key stream. The last parameter will contain the datagram to be sent. The datagram is encrypted in the same manner as\r\nVariant B Version 1.0 using a combination of RC4 and differential XOR. The only difference is the additional layer of\r\nBase64 encoding.\r\nScreenshots\r\nFigure 5 - Variant E contains the commands displayed in the table.\r\n0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e\r\nTags\r\ntrojan\r\nDetails\r\nName 171B9135540F89BF727B690B9E587A4E\r\nSize 1778176 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 171b9135540f89bf727b690b9e587a4e\r\nSHA1 930577d155c41ad843be09a5910a75160eb0eca9\r\nSHA256 0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e\r\nSHA512 811f9e5302b0a048d56fb54b70df2819c7219accf07c1f69f9d4c9342fbb4748017ae5acb3e3e8c6ab0d5c8c5660f9c0b542e06b306b96e783\r\nssdeep 49152:Z689410GBsVASqabr4nrhKCJiX1zBj7Is:Z604zehqabr4hli1zBH\r\nEntropy 7.951261\r\nAntivirus\r\nAhnlab Trojan/Win64.Agent\r\nAntiy Trojan/Win32.Agentb\r\nAvira TR/NukeSped.psxmr\r\nBitDefender Trojan.GenericKD.31831026\r\nESET Win32/NukeSped.FL trojan\r\nEmsisoft Trojan.GenericKD.31831026 (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 0054ae921 )\r\nMcAfee Generic Trojan.gv\r\nNANOAV Trojan.Win32.NukeSped.foyooc\r\nSymantec Trojan Horse\r\nTACHYON Trojan/W32.Agent.1778176.N\r\nTrendMicro TROJ_FR.FB1AA970\r\nTrendMicro House Call TROJ_FR.FB1AA970\r\nVirusBlokAda TScope.Malware-Cryptor.SB\r\nZillya! Trojan.Agentb.Win32.22138\r\nYARA Rules\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 46 of 56\n\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-10-07 23:05:18-04:00\r\nImport Hash baa93d47220682c04d92f7797d9224ce\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n9e19e7fb6309129d9cf0a01c4e736a05 header 4096 0.905647\r\n4ea36d953ccdb30fb625e51136a26969   54272 7.980761\r\n302d4b306fd7974ce2b980a88adb61b2 .rsrc 512 4.514680\r\n59f642fe00fbfca3c92c42b2cae802f8 .idata 512 1.308723\r\nf69164b5fe72547bf86a52994b636858   512 0.256865\r\ne45475d50cd89d8688e42771053c8632 bncavhpe 1717760 7.953161\r\n3c91bb7f24d17b602cc359f5fe5d2322 psmxndys 512 3.597543\r\nRelationships\r\n0a763da26a... Connected_To streamf.ru\r\n0a763da26a... Connected_To vinhsake.com\r\n0a763da26a... Connected_To bogorcenter.com\r\nDescription\r\nThis file is a 32-bit DLL and has been identified as Variant F. Variant F of the implant uses multi-part HTTP POST messages\r\nconsisting of three parts holding the victim id, response code, and datagram, as outlined below:\r\n--Begin HTTP POST format--\r\nPOST /\u003curi\u003e HTTP/1.1\r\nContent-Type: multipart/form-data; boundary=\u003cboundaryString\u003e\r\nUser-Agent: \u003cobtained from ObtainUserAgentString\u003e\r\nHost: \u003cdomain\u003e\r\nContent-Length: \u003clength\u003e\r\nExpect: 100-continue\r\nConnection: Keep-Alive\r\n--\u003cboundaryString\u003e\r\nContent-Disposition: form-data; name=\"_webident_f\"\r\n\u003cvictimId\u003e\r\n--\u003cboundarString\u003e\r\nContent-Disposition: form-data; name=\"_webident_s\"\r\n\u003cresponse code\u003e\r\n--\u003cboundaryString\u003e\r\nContent-Disposition: form-data; name=\"file\"; filename=\"\u003crandom\u003e.dat\"\r\nContent-Type: octet-stream\r\n\u003cdatagram\u003e\r\n--\u003cboundaryString\u003e\r\n--End HTTP POST format--\r\nTwo additional User-Agent strings have been used by this version:\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 47 of 56\n\n--Begin User-Agent strings--\r\nMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131\r\nSafari/537.36\r\n--End User-Agent strings--\r\nDatagrams are encoded using a single byte XOR with the value \"0xAA\".\r\nScreenshots\r\nFigure 6 - Variant F contains the commands displayed in the table.\r\nstreamf.ru\r\nTags\r\ncommand-and-control\r\nURLs\r\nstreamf.ru//wp-content/index2.php\r\nRelationships\r\nstreamf.ru Connected_From 0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e\r\nDescription\r\n171B9135540F89BF727B690B9E587A4E attempts to connect to the domain.\r\nvinhsake.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nvinhsake.com//wp-content/uploads/index2.php\r\nRelationships\r\nvinhsake.com Connected_From 0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e\r\nDescription\r\n171B9135540F89BF727B690B9E587A4E attempts to connect to the domain.\r\nbogorcenter.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nbogorcenter.com/wp-content/themes/index2.php\r\nRelationships\r\nbogorcenter.com Connected_From 0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e\r\nDescription\r\n171B9135540F89BF727B690B9E587A4E attempts to connect to the domain.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 48 of 56\n\n1884ddc53ef66488ca8fc641b438895fcaada77c15210118465377c63223b3bc\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName 22F8D2A0C8D9B54A553FCA1B2393B266\r\nSize 126976 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 22f8d2a0c8d9b54a553fca1b2393b266\r\nSHA1 08bacda419c5c663bd16374ee690e8822af74af0\r\nSHA256 1884ddc53ef66488ca8fc641b438895fcaada77c15210118465377c63223b3bc\r\nSHA512 0a51be4e9d4d95d4e511b97bdfa2aaec5db39388eedf17285922f6057ca171f55734c2e5e7d556a7d3655c6b01430bae045045644013139f6\r\nssdeep 3072:hdnIUhpSA9IybNLYhsmbjzwI3tFMHBNu:vnIUhpS85WsmbnKN\r\nEntropy 6.417310\r\nAntivirus\r\nAhnlab Trojan/Win32.Agent\r\nAntiy Trojan[Backdoor]/Win32.Manuscrypt\r\nAvira BDS/Redcap.hcfxr\r\nBitDefender Trojan.GenericKD.33520232\r\nCyren W32/Trojan.ITLW-8523\r\nESET a variant of Generik.BTKBSHE trojan\r\nEmsisoft Trojan.GenericKD.33520232 (B)\r\nNANOAV Trojan.Win32.Manuscrypt.hepayr\r\nQuick Heal Backdoor.Manuscrypt\r\nTACHYON Trojan/W32.Agent.126976.DEL\r\nTrendMicro BKDR_NU.82E0FF6A\r\nTrendMicro House Call BKDR_NU.82E0FF6A\r\nVirusBlokAda Backdoor.Manuscrypt\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-07-23 20:50:45-04:00\r\nImport Hash 33ef573774873705ce44ec95183c2e0f\r\nPE Sections\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 49 of 56\n\nMD5 Name Raw Size Entropy\r\n49356d02c29028e4a4986d5770624266 header 1024 2.940664\r\n0bd65b0788f3e6043c6aa53346e88a19 .text 87552 6.583271\r\na5be05b45ad3419c246cf21f9be20826 .rdata 27136 5.394968\r\n2bc12ba81a6644ceb7fa81303444d333 .data 5120 1.183309\r\nbfe346cfed24683b605f901394c8cf69 .gfids 512 1.429806\r\n904005e1749dcd577a0be29a83ff9ce1 .rsrc 512 4.720823\r\n2adefe9831125b0ab9459ad7733cb42e .reloc 5120 6.468427\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n1884ddc53e... Connected_To stokeinvestor.com\r\n1884ddc53e... Connected_To growthincone.com\r\n1884ddc53e... Connected_To inverstingpurpose.com\r\nDescription\r\nThis file is a 32-bit DLL and has been identified as Variant F. Refer to 171B9135540F89BF727B690B9E587A4E for\r\nanalysis.\r\nstokeinvestor.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nstokeinvestor.com/common.php\r\nRelationships\r\nstokeinvestor.com Connected_From c24c322f4535def3f8d1579c39f2f9e323787d15b96e2ee457c38925effe2d39\r\nstokeinvestor.com Connected_From 1884ddc53ef66488ca8fc641b438895fcaada77c15210118465377c63223b3bc\r\nDescription\r\n22F8D2A0C8D9B54A553FCA1B2393B266 and FDD55A38A45DE8AF6F8C34A33BAE11CB attempt to connect to the\r\ndomain.\r\ngrowthincone.com\r\nTags\r\ncommand-and-control\r\nURLs\r\ngrowthincone.com/board.php\r\nRelationships\r\ngrowthincone.com Connected_From c24c322f4535def3f8d1579c39f2f9e323787d15b96e2ee457c38925effe2d39\r\ngrowthincone.com Connected_From 1884ddc53ef66488ca8fc641b438895fcaada77c15210118465377c63223b3bc\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 50 of 56\n\nDescription\r\n22F8D2A0C8D9B54A553FCA1B2393B266 and FDD55A38A45DE8AF6F8C34A33BAE11CB attempt to connect to the\r\ndomain.\r\ninverstingpurpose.com\r\nTags\r\ncommand-and-control\r\nURLs\r\ninverstingpurpose.com/head.php\r\nRelationships\r\ninverstingpurpose.com Connected_From c24c322f4535def3f8d1579c39f2f9e323787d15b96e2ee457c38925effe2d39\r\ninverstingpurpose.com Connected_From 1884ddc53ef66488ca8fc641b438895fcaada77c15210118465377c63223b3bc\r\nDescription\r\n22F8D2A0C8D9B54A553FCA1B2393B266 and FDD55A38A45DE8AF6F8C34A33BAE11CB attempt to connect to the\r\ndomain.\r\nc24c322f4535def3f8d1579c39f2f9e323787d15b96e2ee457c38925effe2d39\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName FDD55A38A45DE8AF6F8C34A33BAE11CB\r\nSize 141312 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 fdd55a38a45de8af6f8c34a33bae11cb\r\nSHA1 f2da56d6a565ade77d7ebb0c31eda99b415bcced\r\nSHA256 c24c322f4535def3f8d1579c39f2f9e323787d15b96e2ee457c38925effe2d39\r\nSHA512 f81e0cb975269483f43a35b10b8f01efe708453e675f3909585c1332d477bff69d47abc570563ac1cf8dcecc4133a702db6b0ab19548f3e0e0\r\nssdeep 3072:RFoydrw7d4uA4LsuvitZmf5eXv91596YPG:PXG7d47wsOiXmfw1DG\r\nEntropy 6.089052\r\nAntivirus\r\nAhnlab Trojan/Win64.Agent\r\nAntiy Trojan[Backdoor]/Win64.Manuscrypt\r\nBitDefender Trojan.GenericKD.32627436\r\nCyren W64/Trojan.URTH-8310\r\nESET a variant of Generik.CETMACQ trojan\r\nEmsisoft Trojan.GenericKD.32627436 (B)\r\nMcAfee RDN/Generic BackDoor\r\nTACHYON Trojan/W64.Agent.141312.B\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 51 of 56\n\nTrendMicro BKDR64_.DFFFEE3F\r\nTrendMicro House Call BKDR64_.DFFFEE3F\r\nVirusBlokAda Backdoor.Win64.Manuscrypt\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-07-23 20:49:41-04:00\r\nImport Hash f2da13bb8bffa45aa11aaf82d51d54b5\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n557352a095b601682822a48dfb6ff35e header 1024 3.105520\r\n8bb19f482bddce12c71f47569cf5c732 .text 84992 6.415516\r\na14c6a5866fe494ff5cfd42a0bb2d2c4 .rdata 41984 5.116442\r\nd0c6f887dc794cc7c49bf38a5eba50ff .data 5120 1.262987\r\naaed812597858a671260a72da7bcb794 .pdata 5120 4.872234\r\nf0819a00354c53d2e35aa1fc5239ff49 .gfids 512 1.283686\r\n85d6df69cd236ab12321a95d2a49aff1 .rsrc 512 4.720823\r\n62de5951242abfc3312799424b9f0406 .reloc 2048 4.712047\r\nRelationships\r\nc24c322f45... Connected_To stokeinvestor.com\r\nc24c322f45... Connected_To growthincone.com\r\nc24c322f45... Connected_To inverstingpurpose.com\r\nDescription\r\nThis file is a 64-bit DLL and has been identified as Variant F. Refer to 171B9135540F89BF727B690B9E587A4E for\r\nanalysis.\r\nRelationship Summary\r\nd8af45210b... Connected_To 530hr.com\r\nd8af45210b... Connected_To 028xmz.com\r\nd8af45210b... Connected_To 168wangpi.com\r\n530hr.com Connected_From d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3\r\n530hr.com Connected_From 7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882\r\n028xmz.com Connected_From d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3\r\n028xmz.com Connected_From 7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882\r\n168wangpi.com Connected_From d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 52 of 56\n\n168wangpi.com Connected_From 7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882\r\n7985af0a87... Connected_To 530hr.com\r\n7985af0a87... Connected_To 028xmz.com\r\n7985af0a87... Connected_To 168wangpi.com\r\ne98991cdd9... Connected_To marmarademo.com\r\ne98991cdd9... Connected_To 33cow.com\r\ne98991cdd9... Connected_To 97nb.net\r\nmarmarademo.com Connected_From e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292\r\n33cow.com Connected_From e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292\r\n97nb.net Connected_From e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292\r\n4838f85499... Connected_To anlway.com\r\n4838f85499... Connected_To apshenyihl.com\r\n4838f85499... Connected_To ap8898.com\r\nanlway.com Connected_From 4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324\r\napshenyihl.com Connected_From 4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324\r\nap8898.com Connected_From 4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324\r\ne76b3fd3e9... Connected_To aloe-china.com\r\ne76b3fd3e9... Connected_To 92myhw.com\r\ne76b3fd3e9... Connected_To aisou123.com\r\naloe-china.com Connected_From e76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2\r\n92myhw.com Connected_From e76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2\r\naisou123.com Connected_From e76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2\r\n1faaa93908... Connected_To markcoprintandcopy.com\r\n1faaa93908... Connected_To aedlifepower.com\r\n1faaa93908... Connected_To 919xy.com\r\nmarkcoprintandcopy.com Connected_From 1faaa939087c3479441d9f9c83a80ac7ec9b929e626cb34a7417be9ff0316ff7\r\naedlifepower.com Connected_From 1faaa939087c3479441d9f9c83a80ac7ec9b929e626cb34a7417be9ff0316ff7\r\n919xy.com Connected_From 1faaa939087c3479441d9f9c83a80ac7ec9b929e626cb34a7417be9ff0316ff7\r\n3ff4ebae6c... Connected_To pakteb.com\r\n3ff4ebae6c... Connected_To nuokejs.com\r\n3ff4ebae6c... Connected_To qdbazaar.com\r\npakteb.com Connected_From 3ff4ebae6c255d4ae6b747a77f2821f2b619825c7789c7ee5338da5ecb375395\r\npakteb.com Connected_From c2f150dbe9a8efb72dc46416ca29acdbae6fd4a2af16b27f153eaabd4772a2a1\r\nnuokejs.com Connected_From 3ff4ebae6c255d4ae6b747a77f2821f2b619825c7789c7ee5338da5ecb375395\r\nnuokejs.com Connected_From c2f150dbe9a8efb72dc46416ca29acdbae6fd4a2af16b27f153eaabd4772a2a1\r\nqdbazaar.com Connected_From 3ff4ebae6c255d4ae6b747a77f2821f2b619825c7789c7ee5338da5ecb375395\r\nqdbazaar.com Connected_From c2f150dbe9a8efb72dc46416ca29acdbae6fd4a2af16b27f153eaabd4772a2a1\r\nc2f150dbe9... Connected_To pakteb.com\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 53 of 56\n\nc2f150dbe9... Connected_To nuokejs.com\r\nc2f150dbe9... Connected_To qdbazaar.com\r\n1678327c5f... Connected_To aurumgroup.co.id\r\n1678327c5f... Connected_To 51shousheng.com\r\n1678327c5f... Connected_To new.titanik.fr\r\naurumgroup.co.id Connected_From 1678327c5f36074cf5f18d1a92c2d9fea9bfae6c245eaad01640fd75af4d6c11\r\naurumgroup.co.id Connected_From c0ee19d7545f98fcd15725a3d9f0dbd0f35b2091e1c5b9cf4744f16e81a030c5\r\n51shousheng.com Connected_From 1678327c5f36074cf5f18d1a92c2d9fea9bfae6c245eaad01640fd75af4d6c11\r\n51shousheng.com Connected_From c0ee19d7545f98fcd15725a3d9f0dbd0f35b2091e1c5b9cf4744f16e81a030c5\r\nnew.titanik.fr Connected_From 1678327c5f36074cf5f18d1a92c2d9fea9bfae6c245eaad01640fd75af4d6c11\r\nnew.titanik.fr Connected_From c0ee19d7545f98fcd15725a3d9f0dbd0f35b2091e1c5b9cf4744f16e81a030c5\r\nc0ee19d754... Connected_To aurumgroup.co.id\r\nc0ee19d754... Connected_To 51shousheng.com\r\nc0ee19d754... Connected_To new.titanik.fr\r\n9e4bd9676b... Connected_To duratransgroup.com\r\n9e4bd9676b... Connected_To eygingenieros.com\r\n9e4bd9676b... Connected_To eventum.cwsdev3.biz\r\nduratransgroup.com Connected_From 9e4bd9676bb3460be68ba4559a824940a393bde7613850eda9196259e453b9f3\r\neygingenieros.com Connected_From 9e4bd9676bb3460be68ba4559a824940a393bde7613850eda9196259e453b9f3\r\neventum.cwsdev3.biz Connected_From 9e4bd9676bb3460be68ba4559a824940a393bde7613850eda9196259e453b9f3\r\neee38c632c... Connected_To theinspectionconsultant.com\r\neee38c632c... Connected_To danagloverinteriors.com\r\neee38c632c... Connected_To as-brant.ru\r\ntheinspectionconsultant.com Connected_From f6e1a146543d2903146698da5698b2a214201720c0be756c6e8d2a2f27dcfaff\r\ntheinspectionconsultant.com Connected_From eee38c632c62ca95b5c66f8d39a18e23b9175845560af84b6a2f69b7f9b6ec1c\r\ndanagloverinteriors.com Connected_From f6e1a146543d2903146698da5698b2a214201720c0be756c6e8d2a2f27dcfaff\r\ndanagloverinteriors.com Connected_From eee38c632c62ca95b5c66f8d39a18e23b9175845560af84b6a2f69b7f9b6ec1c\r\nas-brant.ru Connected_From f6e1a146543d2903146698da5698b2a214201720c0be756c6e8d2a2f27dcfaff\r\nas-brant.ru Connected_From eee38c632c62ca95b5c66f8d39a18e23b9175845560af84b6a2f69b7f9b6ec1c\r\nf6e1a14654... Connected_To theinspectionconsultant.com\r\nf6e1a14654... Connected_To danagloverinteriors.com\r\nf6e1a14654... Connected_To as-brant.ru\r\n37bb27f4eb... Connected_To rxrenew.us\r\n37bb27f4eb... Connected_To creativefishstudio.com\r\n37bb27f4eb... Connected_To sensationalsecrets.com\r\nrxrenew.us Connected_From e6fc788b5ff7436da4450191a003966a68e2a1913c83f1d3aec78c65f3ba85ca\r\nrxrenew.us Connected_From 37bb27f4eb40b8947e184afddba019001c12f97588e7f596ab6bc07f7c152602\r\ncreativefishstudio.com Connected_From e6fc788b5ff7436da4450191a003966a68e2a1913c83f1d3aec78c65f3ba85ca\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 54 of 56\n\ncreativefishstudio.com Connected_From 37bb27f4eb40b8947e184afddba019001c12f97588e7f596ab6bc07f7c152602\r\nsensationalsecrets.com Connected_From e6fc788b5ff7436da4450191a003966a68e2a1913c83f1d3aec78c65f3ba85ca\r\nsensationalsecrets.com Connected_From 37bb27f4eb40b8947e184afddba019001c12f97588e7f596ab6bc07f7c152602\r\ne6fc788b5f... Connected_To rxrenew.us\r\ne6fc788b5f... Connected_To creativefishstudio.com\r\ne6fc788b5f... Connected_To sensationalsecrets.com\r\n284bc47164... Connected_To rhythm86.com\r\n284bc47164... Connected_To cabba-cacao.com\r\n284bc47164... Connected_To 3x-tv.com\r\nrhythm86.com Connected_From 284bc471647f951c79e3e333b2b19aa37f84cc39b55441a82e2a5f7319131fac\r\ncabba-cacao.com Connected_From 284bc471647f951c79e3e333b2b19aa37f84cc39b55441a82e2a5f7319131fac\r\n3x-tv.com Connected_From 284bc471647f951c79e3e333b2b19aa37f84cc39b55441a82e2a5f7319131fac\r\na1cdb78410... Connected_To castorbyg.dk\r\na1cdb78410... Connected_To matthias-dlugi.de\r\na1cdb78410... Connected_To locphuland.com\r\ncastorbyg.dk Connected_From a1cdb784100906d0ac895297c5a0959ab21a9fb39c687baf176324ee84095472\r\nmatthias-dlugi.de Connected_From a1cdb784100906d0ac895297c5a0959ab21a9fb39c687baf176324ee84095472\r\nlocphuland.com Connected_From a1cdb784100906d0ac895297c5a0959ab21a9fb39c687baf176324ee84095472\r\n0a763da26a... Connected_To streamf.ru\r\n0a763da26a... Connected_To vinhsake.com\r\n0a763da26a... Connected_To bogorcenter.com\r\nstreamf.ru Connected_From 0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e\r\nvinhsake.com Connected_From 0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e\r\nbogorcenter.com Connected_From 0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e\r\n1884ddc53e... Connected_To stokeinvestor.com\r\n1884ddc53e... Connected_To growthincone.com\r\n1884ddc53e... Connected_To inverstingpurpose.com\r\nstokeinvestor.com Connected_From c24c322f4535def3f8d1579c39f2f9e323787d15b96e2ee457c38925effe2d39\r\nstokeinvestor.com Connected_From 1884ddc53ef66488ca8fc641b438895fcaada77c15210118465377c63223b3bc\r\ngrowthincone.com Connected_From c24c322f4535def3f8d1579c39f2f9e323787d15b96e2ee457c38925effe2d39\r\ngrowthincone.com Connected_From 1884ddc53ef66488ca8fc641b438895fcaada77c15210118465377c63223b3bc\r\ninverstingpurpose.com Connected_From c24c322f4535def3f8d1579c39f2f9e323787d15b96e2ee457c38925effe2d39\r\ninverstingpurpose.com Connected_From 1884ddc53ef66488ca8fc641b438895fcaada77c15210118465377c63223b3bc\r\nc24c322f45... Connected_To stokeinvestor.com\r\nc24c322f45... Connected_To growthincone.com\r\nc24c322f45... Connected_To inverstingpurpose.com\r\nMitigation\r\nSnort rules for this malware family is displayed below:\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 55 of 56\n\nalert tcp any any -\u003e any 80 (msg:\"handshake detected\"; content:\"*dJU!*JE\u0026!M@UNQ@\"; sid:5; rev:1;)\r\nalert tcp any any -\u003e any 80 (msg:\"handshake detected\"; content:\"t34kjfdla45l\"; sid:6; rev:1;)\r\nalert tcp any any -\u003e any 80 (msg:\"malware traffic detected\"; content: \"_webident_f\"; http_client_body; content:\r\n\"_webident_s \"; http_client_body; sid:33; rev:1;)\r\nalert tcp any any -\u003e any 80 (msg:\"malware traffic detected\"; content: \"_webident_f\"; http_client_body; content:\r\n\"_webident_s\"; http_client_body; sid:1; rev:1;)\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or contact@mail.cisa.dhs.gov .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.\r\nSource: https://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-133a\r\nPage 56 of 56\n\nPE Sections MD5 Name Raw Size Entropy\n588b2a99aa2dbacf19c05e5e363a0056 header 1024 2.899780\n0726d6e7fdcc41dca2a7fd81df61e0a5 .text 89600 6.597775\nc81a53a721abdd9f27386c7590d39c8b .rdata 28160 5.358969\nd8727a0a5051d7418591aae3a42a3f01 .data 3072 4.460652\n7fd4f016c8992181e34904887d12f90f .gfids 512 1.785783\n89b7e19270b2a5563c301b84b28e423f .rsrc 512 4.714485\n Page 13 of 56  \n\nPE Sections MD5 Name Raw Size Entropy\nf415a11b78cf73e9c20856ebf542c7c5 header 1024 2.732806\n Page 34 of 56",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.us-cert.gov/ncas/analysis-reports/ar20-133a"
	],
	"report_names": [
		"ar20-133a"
	],
	"threat_actors": [
		{
			"id": "34eea331-d052-4096-ae03-a22f1d090bd4",
			"created_at": "2025-08-07T02:03:25.073494Z",
			"updated_at": "2026-04-10T02:00:03.709243Z",
			"deleted_at": null,
			"main_name": "NICKEL ACADEMY",
			"aliases": [
				"ATK3 ",
				"Black Artemis ",
				"COVELLITE ",
				"CTG-2460 ",
				"Citrine Sleet ",
				"Diamond Sleet ",
				"Guardians of Peace",
				"HIDDEN COBRA ",
				"High Anonymous",
				"Labyrinth Chollima ",
				"Lazarus Group ",
				"NNPT Group",
				"New Romanic Cyber Army Team",
				"Temp.Hermit ",
				"UNC577 ",
				"Who Am I?",
				"Whois Team",
				"ZINC "
			],
			"source_name": "Secureworks:NICKEL ACADEMY",
			"tools": [
				"Destover",
				"KorHigh",
				"Volgmer"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "732597b1-40a8-474c-88cc-eb8a421c29f1",
			"created_at": "2025-08-07T02:03:25.087732Z",
			"updated_at": "2026-04-10T02:00:03.776007Z",
			"deleted_at": null,
			"main_name": "NICKEL GLADSTONE",
			"aliases": [
				"APT38 ",
				"ATK 117 ",
				"Alluring Pisces ",
				"Black Alicanto ",
				"Bluenoroff ",
				"CTG-6459 ",
				"Citrine Sleet ",
				"HIDDEN COBRA ",
				"Lazarus Group",
				"Sapphire Sleet ",
				"Selective Pisces ",
				"Stardust Chollima ",
				"T-APT-15 ",
				"TA444 ",
				"TAG-71 "
			],
			"source_name": "Secureworks:NICKEL GLADSTONE",
			"tools": [
				"AlphaNC",
				"Bankshot",
				"CCGC_Proxy",
				"Ratankba",
				"RustBucket",
				"SUGARLOADER",
				"SwiftLoader",
				"Wcry"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a2b92056-9378-4749-926b-7e10c4500dac",
			"created_at": "2023-01-06T13:46:38.430595Z",
			"updated_at": "2026-04-10T02:00:02.971571Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Operation DarkSeoul",
				"Bureau 121",
				"Group 77",
				"APT38",
				"NICKEL GLADSTONE",
				"G0082",
				"COPERNICIUM",
				"Moonstone Sleet",
				"Operation GhostSecret",
				"APT 38",
				"Appleworm",
				"Unit 121",
				"ATK3",
				"G0032",
				"ATK117",
				"NewRomanic Cyber Army Team",
				"Nickel Academy",
				"Sapphire Sleet",
				"Lazarus group",
				"Hastati Group",
				"Subgroup: Bluenoroff",
				"Operation Troy",
				"Black Artemis",
				"Dark Seoul",
				"Andariel",
				"Labyrinth Chollima",
				"Operation AppleJeus",
				"COVELLITE",
				"Citrine Sleet",
				"DEV-0139",
				"DEV-1222",
				"Hidden Cobra",
				"Bluenoroff",
				"Stardust Chollima",
				"Whois Hacking Team",
				"Diamond Sleet",
				"TA404",
				"BeagleBoyz",
				"APT-C-26"
			],
			"source_name": "MISPGALAXY:Lazarus Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "32a223a8-3c79-4146-87c5-8557d38662ae",
			"created_at": "2022-10-25T15:50:23.703698Z",
			"updated_at": "2026-04-10T02:00:05.261989Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Lazarus Group",
				"Labyrinth Chollima",
				"HIDDEN COBRA",
				"Guardians of Peace",
				"NICKEL ACADEMY",
				"Diamond Sleet"
			],
			"source_name": "MITRE:Lazarus Group",
			"tools": [
				"RawDisk",
				"Proxysvc",
				"BADCALL",
				"FALLCHILL",
				"WannaCry",
				"MagicRAT",
				"HOPLIGHT",
				"TYPEFRAME",
				"Dtrack",
				"HotCroissant",
				"HARDRAIN",
				"Dacls",
				"KEYMARBLE",
				"TAINTEDSCRIBE",
				"AuditCred",
				"netsh",
				"ECCENTRICBANDWAGON",
				"AppleJeus",
				"BLINDINGCAN",
				"ThreatNeedle",
				"Volgmer",
				"Cryptoistic",
				"RATANKBA",
				"Bankshot"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f32df445-9fb4-4234-99e0-3561f6498e4e",
			"created_at": "2022-10-25T16:07:23.756373Z",
			"updated_at": "2026-04-10T02:00:04.739611Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"APT-C-26",
				"ATK 3",
				"Appleworm",
				"Citrine Sleet",
				"DEV-0139",
				"Diamond Sleet",
				"G0032",
				"Gleaming Pisces",
				"Gods Apostles",
				"Gods Disciples",
				"Group 77",
				"Guardians of Peace",
				"Hastati Group",
				"Hidden Cobra",
				"ITG03",
				"Jade Sleet",
				"Labyrinth Chollima",
				"Lazarus Group",
				"NewRomanic Cyber Army Team",
				"Operation 99",
				"Operation AppleJeus",
				"Operation AppleJeus sequel",
				"Operation Blockbuster: Breach of Sony Pictures Entertainment",
				"Operation CryptoCore",
				"Operation Dream Job",
				"Operation Dream Magic",
				"Operation Flame",
				"Operation GhostSecret",
				"Operation In(ter)caption",
				"Operation LolZarus",
				"Operation Marstech Mayhem",
				"Operation No Pineapple!",
				"Operation North Star",
				"Operation Phantom Circuit",
				"Operation Sharpshooter",
				"Operation SyncHole",
				"Operation Ten Days of Rain / DarkSeoul",
				"Operation Troy",
				"SectorA01",
				"Slow Pisces",
				"TA404",
				"TraderTraitor",
				"UNC2970",
				"UNC4034",
				"UNC4736",
				"UNC4899",
				"UNC577",
				"Whois Hacking Team"
			],
			"source_name": "ETDA:Lazarus Group",
			"tools": [
				"3CX Backdoor",
				"3Rat Client",
				"3proxy",
				"AIRDRY",
				"ARTFULPIE",
				"ATMDtrack",
				"AlphaNC",
				"Alreay",
				"Andaratm",
				"AngryRebel",
				"AppleJeus",
				"Aryan",
				"AuditCred",
				"BADCALL",
				"BISTROMATH",
				"BLINDINGCAN",
				"BTC Changer",
				"BUFFETLINE",
				"BanSwift",
				"Bankshot",
				"Bitrep",
				"Bitsran",
				"BlindToad",
				"Bookcode",
				"BootWreck",
				"BottomLoader",
				"Brambul",
				"BravoNC",
				"Breut",
				"COLDCAT",
				"COPPERHEDGE",
				"CROWDEDFLOUNDER",
				"Castov",
				"CheeseTray",
				"CleanToad",
				"ClientTraficForwarder",
				"CollectionRAT",
				"Concealment Troy",
				"Contopee",
				"CookieTime",
				"Cyruslish",
				"DAVESHELL",
				"DBLL Dropper",
				"DLRAT",
				"DRATzarus",
				"DRATzarus RAT",
				"Dacls",
				"Dacls RAT",
				"DarkComet",
				"DarkKomet",
				"DeltaCharlie",
				"DeltaNC",
				"Dembr",
				"Destover",
				"DoublePulsar",
				"Dozer",
				"Dtrack",
				"Duuzer",
				"DyePack",
				"ECCENTRICBANDWAGON",
				"ELECTRICFISH",
				"Escad",
				"EternalBlue",
				"FALLCHILL",
				"FYNLOS",
				"FallChill RAT",
				"Farfli",
				"Fimlis",
				"FoggyBrass",
				"FudModule",
				"Fynloski",
				"Gh0st RAT",
				"Ghost RAT",
				"Gopuram",
				"HARDRAIN",
				"HIDDEN COBRA RAT/Worm",
				"HLOADER",
				"HOOKSHOT",
				"HOPLIGHT",
				"HOTCROISSANT",
				"HOTWAX",
				"HTTP Troy",
				"Hawup",
				"Hawup RAT",
				"Hermes",
				"HotCroissant",
				"HotelAlfa",
				"Hotwax",
				"HtDnDownLoader",
				"Http Dr0pper",
				"ICONICSTEALER",
				"Joanap",
				"Jokra",
				"KANDYKORN",
				"KEYMARBLE",
				"Kaos",
				"KillDisk",
				"KillMBR",
				"Koredos",
				"Krademok",
				"LIGHTSHIFT",
				"LIGHTSHOW",
				"LOLBAS",
				"LOLBins",
				"Lazarus",
				"LightlessCan",
				"Living off the Land",
				"MATA",
				"MBRkiller",
				"MagicRAT",
				"Manuscrypt",
				"Mimail",
				"Mimikatz",
				"Moudour",
				"Mydoom",
				"Mydoor",
				"Mytob",
				"NACHOCHEESE",
				"NachoCheese",
				"NestEgg",
				"NickelLoader",
				"NineRAT",
				"Novarg",
				"NukeSped",
				"OpBlockBuster",
				"PCRat",
				"PEBBLEDASH",
				"PLANKWALK",
				"POOLRAT",
				"PSLogger",
				"PhanDoor",
				"Plink",
				"PondRAT",
				"PowerBrace",
				"PowerRatankba",
				"PowerShell RAT",
				"PowerSpritz",
				"PowerTask",
				"Preft",
				"ProcDump",
				"Proxysvc",
				"PuTTY Link",
				"QUICKRIDE",
				"QUICKRIDE.POWER",
				"Quickcafe",
				"QuiteRAT",
				"R-C1",
				"ROptimizer",
				"Ratabanka",
				"RatabankaPOS",
				"Ratankba",
				"RatankbaPOS",
				"RawDisk",
				"RedShawl",
				"Rifdoor",
				"Rising Sun",
				"Romeo-CoreOne",
				"RomeoAlfa",
				"RomeoBravo",
				"RomeoCharlie",
				"RomeoCore",
				"RomeoDelta",
				"RomeoEcho",
				"RomeoFoxtrot",
				"RomeoGolf",
				"RomeoHotel",
				"RomeoMike",
				"RomeoNovember",
				"RomeoWhiskey",
				"Romeos",
				"RustBucket",
				"SHADYCAT",
				"SHARPKNOT",
				"SIGFLIP",
				"SIMPLESEA",
				"SLICKSHOES",
				"SORRYBRUTE",
				"SUDDENICON",
				"SUGARLOADER",
				"SheepRAT",
				"SierraAlfa",
				"SierraBravo",
				"SierraCharlie",
				"SierraJuliett-MikeOne",
				"SierraJuliett-MikeTwo",
				"SimpleTea",
				"SimplexTea",
				"SmallTiger",
				"Stunnel",
				"TAINTEDSCRIBE",
				"TAXHAUL",
				"TFlower",
				"TOUCHKEY",
				"TOUCHMOVE",
				"TOUCHSHIFT",
				"TOUCHSHOT",
				"TWOPENCE",
				"TYPEFRAME",
				"Tdrop",
				"Tdrop2",
				"ThreatNeedle",
				"Tiger RAT",
				"TigerRAT",
				"Trojan Manuscript",
				"Troy",
				"TroyRAT",
				"VEILEDSIGNAL",
				"VHD",
				"VHD Ransomware",
				"VIVACIOUSGIFT",
				"VSingle",
				"ValeforBeta",
				"Volgmer",
				"Vyveva",
				"W1_RAT",
				"Wana Decrypt0r",
				"WanaCry",
				"WanaCrypt",
				"WanaCrypt0r",
				"WannaCry",
				"WannaCrypt",
				"WannaCryptor",
				"WbBot",
				"Wcry",
				"Win32/KillDisk.NBB",
				"Win32/KillDisk.NBC",
				"Win32/KillDisk.NBD",
				"Win32/KillDisk.NBH",
				"Win32/KillDisk.NBI",
				"WinorDLL64",
				"Winsec",
				"WolfRAT",
				"Wormhole",
				"YamaBot",
				"Yort",
				"ZetaNile",
				"concealment_troy",
				"http_troy",
				"httpdr0pper",
				"httpdropper",
				"klovbot",
				"sRDI"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434397,
	"ts_updated_at": 1775792299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2af7cbfa0f38a26e2b16e82fb6f6584a0200e0c2.pdf",
		"text": "https://archive.orkl.eu/2af7cbfa0f38a26e2b16e82fb6f6584a0200e0c2.txt",
		"img": "https://archive.orkl.eu/2af7cbfa0f38a26e2b16e82fb6f6584a0200e0c2.jpg"
	}
}