{ "id": "b0ad469f-eb1a-413b-9b22-81d1257e45eb", "created_at": "2026-04-06T00:15:23.935804Z", "updated_at": "2026-04-10T03:21:20.761437Z", "deleted_at": null, "sha1_hash": "2d6d9a3a81b1461d10da562cd86647263cbf4af1", "title": "PebbleDash - Lazarus / HiddenCobra RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 465794, "plain_text": "PebbleDash - Lazarus / HiddenCobra RAT\r\nBy malwarenailed\r\nPublished: 2020-06-01 · Archived: 2026-04-05 18:33:47 UTC\r\nHi folks.  I was analyzing the PebbleDash malware used by Lazarus APT group. While analyzing the original\r\nsample (Md5: d2de01858417fa3b580b3a95857847d5), I was able to find out the C2 server and the port, where it\r\nintends to communicate to. I also found an interesting technique it uses to identify the OS version of the victim\r\nmachine.\r\nDuring static analysis, I observed interesting strings were starting with \"Zip-bug\", as can be seen below. Using\r\nyara rules I was able to discover some other samples uploaded to HA (Hybrid Analysis) with the same strings\r\nembedded. These samples seemed to be not related to d2de01858417fa3b580b3a95857847d5. However, they\r\ncommunicated to South Korea and China.\r\nWhile performing dynamic anlaysis, I observed that the sample uses the API call IsProcessorFeaturePresent to\r\ndetermine the version of the victim OS. The PF_FLOATING_POINT_PRECISION_ERRATA feature is explicitly\r\nset to FALSE in x86 version 6.1 and higher.\r\nhttps://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1\r\nPage 1 of 4\n\nThe sample loads several libraries dynamically during run time. This also included wsock32.dll. Malware usually\r\ndoes this as an anti-analysis technique (anti static analysis)\r\nAfter loading the libraries the malware saves the memory offset of the API functions it intends to use as can be\r\nseen below.\r\nIt then tries to open a socket connection by calling the connect function. \r\nI decoded the \"sockaddr\" structure which is passed on to the connect function.\r\nhttps://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1\r\nPage 2 of 4\n\nThe first two bytes in the structure represents the destination port and we can see that it is 443 in this case.\r\nThe rest of the four bytes are: 0x70 0xd9 0x6C 0x8A, which translates to 112.217.108.138 (hex to decimal). This\r\nis the C2 ip address where PebbleDash communicates to. This IOC also be seen in the US-CERT advisroy.\r\nhttps://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1\r\nPage 3 of 4\n\nPebbleDash inserts fake \"server name\" in the TLS packet. We can see below some:  \r\nSource: https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1\r\nhttps://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1\r\nPage 4 of 4\n\nThe first two bytes in the https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1 structure represents the destination port and we can see that it is 443 in this case.\nThe rest of the four bytes are: 0x70 0xd9 0x6C 0x8A, which translates to 112.217.108.138 (hex to decimal). This\nis the C2 ip address where PebbleDash communicates to. This IOC also be seen in the US-CERT advisroy.\n Page 3 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1" ], "report_names": [ "peebledash-lazarus-hiddencobra-rat.html?m=1" ], "threat_actors": [], "ts_created_at": 1775434523, "ts_updated_at": 1775791280, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2d6d9a3a81b1461d10da562cd86647263cbf4af1.pdf", "text": "https://archive.orkl.eu/2d6d9a3a81b1461d10da562cd86647263cbf4af1.txt", "img": "https://archive.orkl.eu/2d6d9a3a81b1461d10da562cd86647263cbf4af1.jpg" } }