{ "id": "ae53aed8-af76-4890-8b61-583630c309af", "created_at": "2026-04-06T00:09:12.666204Z", "updated_at": "2026-04-10T03:38:20.673471Z", "deleted_at": null, "sha1_hash": "d3b35b18e3741c7d9828405cf06ff2c051c2fc4e", "title": "MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 85170, "plain_text": "MAR-10301706-1.v1 - North Korean Remote Access Tool:\r\nECCENTRICBANDWAGON | CISA\r\nPublished: 2020-08-26 · Archived: 2026-04-05 16:30:48 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS),\r\nthe Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners,\r\nDHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This\r\nmalware variant has been identified as ECCENTRICBANDWAGON. The U.S. Government refers to malicious cyber\r\nactivity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit\r\nhttps[:]//www[.]us-cert.gov/hiddencobra.\r\nFBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to\r\nmaintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR\r\nto enable network defense and reduce exposure to North Korean government malicious cyber activity.\r\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended\r\nmitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the\r\nCybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the\r\nhighest priority for enhanced mitigation.\r\nThis report looks at malware samples known as ECCENTRICBANDWAGON. This family of malware is used as a\r\nreconnaissance tool. The samples in this report are used for keylogging and screen capture functionality. The samples are\r\nvery similar, but differ slightly in the location that they store the key logs and screenshots. Some variants have RC4\r\nencrypted strings within the executable and conduct a simple, ineffective cleanup, whereas others do not.\r\nFor a downloadable copy of IOCs, see MAR-10301706-1.v1.stix.\r\nSubmitted Files (4)\r\n32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8 (PSLogger .dll)\r\n9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e (PSLogger .dll)\r\nc6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec (PSLogger .dll)\r\nefd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e (PSLogger .dll)\r\nFindings\r\nefd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e\r\nTags\r\nHIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan\r\nDetails\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a\r\nPage 1 of 11\n\nName PSLogger .dll\r\nSize 138240 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 d45931632ed9e11476325189ccb6b530\r\nSHA1 081d5bd155916f8a7236c1ea2148513c0c2c9a33\r\nSHA256 efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e\r\nSHA512 fd1b7ea95f66a660e9183c22755ac7d741823ba45a009bf9929546213308f89fd9ce8fcc2e70b56e427f0daa1b0965817d45dd9c2f5598404\r\nssdeep 3072:t+N02CVLOJdCPQhVNRTzcb/YrgHdnG6ioaa5IR:sO2qO3CPkRTz8YrgHdGBoa1\r\nEntropy 6.096739\r\nAntivirus\r\nAhnlab Trojan/Win64.Agent\r\nAntiy Trojan[Spy]/Win64.Agent\r\nAvira TR/Spy.Agent.ftmjo\r\nBitDefender Trojan.GenericKD.40337042\r\nCyren W64/Trojan.WFEO-4014\r\nESET a variant of Win64/Spy.Agent.AP trojan\r\nEmsisoft Trojan.GenericKD.40337042 (B)\r\nFilseclab W64.Spy.Agent.AP.feaw\r\nIkarus Trojan-Spy.Win64.Agent\r\nK7 Spyware ( 00538f7c1 )\r\nLavasoft Trojan.GenericKD.40337042\r\nMcAfee RDN/Generic PWS.nq\r\nMicrosoft Security Essentials Trojan:Win32/Tiggre!plock\r\nNANOAV Trojan.Win64.Mlw.fgbvfi\r\nNetGate Trojan.Win32.Malware\r\nSophos Troj/Spy-AUK\r\nSymantec Trojan.Crobaruko\r\nSystweak malware.agent\r\nTrendMicro TSPY64_.F7315F7E\r\nTrendMicro House Call TSPY64_.F7315F7E\r\nVir.IT eXplorer Backdoor.Win32.Lazarus.BGM\r\nVirusBlokAda TrojanSpy.Win64.Agent\r\nZillya! Trojan.Agent.Win64.2215\r\nYARA Rules\r\nrule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance\r\nscreencapture spyware trojan\r\n{\r\n   meta:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a\r\nPage 2 of 11\n\nAuthor = \"CISA Trusted Third Party\"\r\n       Incident = \"10301706.r1.v1\"\r\n       Date = \"2020-08-11\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan\"\r\n       Family = \"ECCENTRICBANDWAGON\"\r\n       Description = \"Detects strings in ECCENTRICBANDWAGON proxy tool\"\r\n       MD5_1 = \"d45931632ed9e11476325189ccb6b530\"\r\n       SHA256_1 = \"efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e\"\r\n       MD5_2 = \"acd15f4393e96fe5eb920727dc083aed\"\r\n       SHA256_2 = \"32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8\"\r\n       MD5_3 = \"34404a3fb9804977c6ab86cb991fb130\"\r\n       SHA256_3 = \"c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec\"\r\n       MD5_4 = \"3122b0130f5135b6f76fca99609d5cbe\"\r\n       SHA256_4 = \"9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e\"\r\n   strings:\r\n       $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }\r\n       $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }\r\n       $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }\r\n       $sn4 = \"%s\\\\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d\" wide ascii nocase\r\n       $sn5 = \"c:\\\\windows\\\\temp\\\\TMP0389A.tmp\" wide ascii nocase\r\n   condition:\r\n       any of them\r\n}\r\nssdeep Matches\r\n100 32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8\r\nPE Metadata\r\nCompile Date 2018-04-27 22:53:06-04:00\r\nImport Hash f0faa229b086ea5053b4268855f0c8ba\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n09745305cbad67b17346f0f6dba1e700 header 1024 2.729080\r\n5c2242b56a31d64b6ce82671d97a82a4 .text 92160 6.415763\r\n0d022eff24bc601d97d2088b4179bd18 .rdata 31232 4.934652\r\n578e5078ccb878f1aa9e309b4cfc2be5 .data 6144 2.115729\r\n09924946b47ef078f7e9af4f4fcb59dc .pdata 5632 4.803615\r\n7ead0113095bc6cb3b2d82f05fda25f3 .rsrc 512 5.115767\r\n7937397e0a31cdc87f5b79074825e18e .reloc 1536 2.931043\r\nDescription\r\nThis file is a 64-bit dynamic link library (DLL). This malware uses 3 files that will be used to store the key logs, screen\r\nshots, and log intervals. The location of these logs can be found in C:\\windows\\temp\\TMP0389A.tmp.\r\n--Begin Log Files--\r\n1. Keylog: %temp%\\GoogleChrome\\chromeupdate_pk\r\n2. Screenshots: %temp%\\GoogleChrome\\chromeupdate_ps_\u003cYYYMMDD\u003e_\u003cHHMMSS\u003e_\u003csss\u003e_\u003cThreadID\u003e\r\n3. Log intervals: C:\\ProgramData\\2.dat\r\n--End Log Files--\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a\r\nPage 3 of 11\n\nThe malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill\r\nvariable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the\r\nexport is called, the threads will return and the program will exit.\r\n32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8\r\nTags\r\nHIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan\r\nDetails\r\nName PSLogger .dll\r\nSize 138243 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 acd15f4393e96fe5eb920727dc083aed\r\nSHA1 c92529097cad8996f3a3c8eb34b56273c29bdce5\r\nSHA256 32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8\r\nSHA512 82a946c2d0c9fffdd23d8e6b34028ac1b0368d4fd78302268aa4d954bead8a82ea15873a28d69946dceaf80fcafd0c52aeb59f47df5a029f77\r\nssdeep 3072:t+N02CVLOJdCPQhVNRTzcb/YrgHdnG6ioaa5IR:sO2qO3CPkRTz8YrgHdGBoa1\r\nEntropy 6.096652\r\nAntivirus\r\nAhnlab Trojan/Win64.Agent\r\nAntiy Trojan[Spy]/Win64.Agent\r\nAvira TR/Spy.Agent.ftmjo\r\nBitDefender Trojan.GenericKD.40337042\r\nComodo Malware\r\nCyren W64/Trojan.WFEO-4014\r\nESET a variant of Win64/Spy.Agent.AP trojan\r\nEmsisoft Trojan.GenericKD.40337042 (B)\r\nIkarus Trojan-Spy.Win64.Agent\r\nK7 Spyware ( 00538f7c1 )\r\nLavasoft Trojan.GenericKD.40337042\r\nMicrosoft Security Essentials Trojan:Win32/Tiggre!plock\r\nNANOAV Trojan.Win64.Mlw.fgbtfv\r\nSymantec Trojan.Crobaruko\r\nSystweak malware.agent\r\nVir.IT eXplorer Backdoor.Win32.Lazarus.BGM\r\nVirusBlokAda TrojanSpy.Win64.Agent\r\nZillya! Trojan.Agent.Win64.2215\r\nYARA Rules\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a\r\nPage 4 of 11\n\nrule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance\r\nscreencapture spyware trojan\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10301706.r1.v1\"\r\n       Date = \"2020-08-11\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan\"\r\n       Family = \"ECCENTRICBANDWAGON\"\r\n       Description = \"Detects strings in ECCENTRICBANDWAGON proxy tool\"\r\n       MD5_1 = \"d45931632ed9e11476325189ccb6b530\"\r\n       SHA256_1 = \"efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e\"\r\n       MD5_2 = \"acd15f4393e96fe5eb920727dc083aed\"\r\n       SHA256_2 = \"32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8\"\r\n       MD5_3 = \"34404a3fb9804977c6ab86cb991fb130\"\r\n       SHA256_3 = \"c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec\"\r\n       MD5_4 = \"3122b0130f5135b6f76fca99609d5cbe\"\r\n       SHA256_4 = \"9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e\"\r\n   strings:\r\n       $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }\r\n       $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }\r\n       $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }\r\n       $sn4 = \"%s\\\\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d\" wide ascii nocase\r\n       $sn5 = \"c:\\\\windows\\\\temp\\\\TMP0389A.tmp\" wide ascii nocase\r\n   condition:\r\n       any of them\r\n}\r\nssdeep Matches\r\n100 efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e\r\nPE Metadata\r\nCompile Date 2018-04-27 22:53:06-04:00\r\nImport Hash f0faa229b086ea5053b4268855f0c8ba\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n09745305cbad67b17346f0f6dba1e700 header 1024 2.729080\r\n5c2242b56a31d64b6ce82671d97a82a4 .text 92160 6.415763\r\n0d022eff24bc601d97d2088b4179bd18 .rdata 31232 4.934652\r\n578e5078ccb878f1aa9e309b4cfc2be5 .data 6144 2.115729\r\n09924946b47ef078f7e9af4f4fcb59dc .pdata 5632 4.803615\r\n7ead0113095bc6cb3b2d82f05fda25f3 .rsrc 512 5.115767\r\n7937397e0a31cdc87f5b79074825e18e .reloc 1536 2.931043\r\nDescription\r\nThis file is a 64-bit DLL. This sample and \"efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e\" are\r\nnearly identical with the only difference being that this sample has 3 extra NULL bytes at the end of the file.\r\nThis malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs\r\ncan be found in C:\\windows\\temp\\TMP0389A.tmp.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a\r\nPage 5 of 11\n\n--Begin Log Files--\r\n1. Keylog: %temp%\\GoogleChrome\\chromeupdate_pk\r\n2. Screenshots: %temp%\\GoogleChrome\\chromeupdate_ps_\u003cYYYMMDD\u003e_\u003cHHMMSS\u003e_\u003csss\u003e_\u003cThreadID\u003e\r\n3. Log intervals: C:\\ProgramData\\2.dat\r\n--End Log Files--\r\nThe malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill\r\nvariable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the\r\nexport is called, the threads will return and the program will exit.\r\nc6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec\r\nTags\r\nHIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturetrojan\r\nDetails\r\nName PSLogger .dll\r\nSize 175104 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 34404a3fb9804977c6ab86cb991fb130\r\nSHA1 b345e6fae155bfaf79c67b38cf488bb17d5be56d\r\nSHA256 c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec\r\nSHA512 01a8c8b66f6895387c6a347d02d00ea09619888f2727096a19d4c4ff50e6bf72367cbd41f09e89a57f7f3862efbb2db8177dbec086c4ce2ac\r\nssdeep 3072:AeO51bvWZElWhKQGhvNdx2GYZj+utNfBtZl7mGwwZWyNGVxBqu:A77beClWhKQG36UutNfB077Bqu\r\nEntropy 6.491987\r\nAntivirus\r\nAhnlab Malware/Gen.Generic\r\nAntiy GrayWare/Win32.Presenoker\r\nBitDefender Trojan.GenericKD.43188225\r\nCyren W32/Trojan.MZDN-2436\r\nESET a variant of Generik.HKZTFCG trojan\r\nEmsisoft Trojan.GenericKD.43188225 (B)\r\nIkarus Trojan.SuspectCRC\r\nK7 Trojan ( 005506c81 )\r\nLavasoft Trojan.GenericKD.43188225\r\nNANOAV Trojan.Win32.KeyLogger.fnwztc\r\nNetGate Malware.Generic\r\nSymantec Hacktool.Keylogger\r\nVir.IT eXplorer Backdoor.Win32.Lazarus.BGM\r\nVirusBlokAda TrojanSpy.Keylogger\r\nZillya! Trojan.Keylogger.Win32.9\r\nYARA Rules\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a\r\nPage 6 of 11\n\nrule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance\r\nscreencapture spyware trojan\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10301706.r1.v1\"\r\n       Date = \"2020-08-11\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan\"\r\n       Family = \"ECCENTRICBANDWAGON\"\r\n       Description = \"Detects strings in ECCENTRICBANDWAGON proxy tool\"\r\n       MD5_1 = \"d45931632ed9e11476325189ccb6b530\"\r\n       SHA256_1 = \"efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e\"\r\n       MD5_2 = \"acd15f4393e96fe5eb920727dc083aed\"\r\n       SHA256_2 = \"32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8\"\r\n       MD5_3 = \"34404a3fb9804977c6ab86cb991fb130\"\r\n       SHA256_3 = \"c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec\"\r\n       MD5_4 = \"3122b0130f5135b6f76fca99609d5cbe\"\r\n       SHA256_4 = \"9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e\"\r\n   strings:\r\n       $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }\r\n       $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }\r\n       $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }\r\n       $sn4 = \"%s\\\\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d\" wide ascii nocase\r\n       $sn5 = \"c:\\\\windows\\\\temp\\\\TMP0389A.tmp\" wide ascii nocase\r\n   condition:\r\n       any of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-11-14 09:44:18-05:00\r\nImport Hash a8623b2da60776df129ebe0430d48d85\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n37ecb293f01edad89fcee1ce48e4cde3 header 1024 2.949326\r\n36fd9d805b7c591ab71eda922662e30a .text 124928 6.650973\r\n1d3132305f18961b86c1fda0a2f4eea9 .rdata 38912 5.166660\r\n9e17ac76df46fd523a11378398cf026f .data 3072 2.367308\r\nbbee55723eaad8c7f73a5fa9bf2159d4 .gfids 512 2.275750\r\n264e317304c9b21a342169b33c0a791a .rsrc 512 4.717679\r\na1ab3dce319437b49198eeff43f4d847 .reloc 6144 6.422499\r\nPackers/Compilers/Cryptors\r\nDescription\r\nThis sample is nearly identical to \"efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e\" with the\r\nexception that this sample will RC4 encrypt some of its strings and use different log files.\r\nThe following strings are RC4 encrypted with the key “key”:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a\r\nPage 7 of 11\n\n--Begin RC4 encrypted strings--\r\nDownloads\r\nc:\\windows\\temp\\TMP0389A.tmp\r\nc:\\windows\\temp\\tmp1105.tmp\r\n[CLIPBOARD]\r\n[/CLIPBOARD]\r\n--End RC4 encrypted strings--\r\nThis malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs\r\ncan be found in C:\\windows\\temp\\TMP0389A.tmp.\r\n--Begin log files--\r\n1. Keylog: %temp%\\Downloads\\tmp_\u003cUSERNAME\u003e\r\n2. Screenshots: %temp%\\Downloads\\tmp_\u003cUSERNAME\u003e_\u003cMMDD\u003e_\u003cHHMMSS\u003e\r\n3. Log intervals: c:\\windows\\temp\\tmp1105.tmp\r\n--End log files--\r\nThe malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill\r\nvariable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the\r\nexport is called, the threads will return and the program will exit.\r\n9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e\r\nTags\r\nHIDDEN-COBRAkeyloggerreconnaissancescreen-capturespywaretrojan\r\nDetails\r\nName PSLogger .dll\r\nSize 210944 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 3122b0130f5135b6f76fca99609d5cbe\r\nSHA1 ce6bc34b887d60f6d416a05d5346504c54cff030\r\nSHA256 9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e\r\nSHA512 788c666efeb664c7691a958d15eac2b80d3d17241f5e7c131e5dec2f761bcb70950018c1f8a85fd6600eff0d0fab0ce31fbcd364d16b6ef8b5\r\nssdeep 3072:6usGRlrmZ8LP/LqdmpWOY9Y9EbyBFWnqD5W3P4Tp31oItN7W0rVu6eRDP/fJkkj7:67GTjOdCWOKXbyCnCEQTp2CE0/gh\r\nEntropy 6.246368\r\nAntivirus\r\nAhnlab Trojan/Win64.Redbanc\r\nAntiy Trojan[Banker]/Win32.Alreay\r\nAvira TR/Spy.Agent.kdvkr\r\nBitDefender Trojan.GenericKD.41368668\r\nESET a variant of Win64/Spy.Agent.BG trojan\r\nEmsisoft Trojan.GenericKD.41368668 (B)\r\nIkarus Trojan-Spy.Keylogger.Lazarus\r\nK7 Spyware ( 005501401 )\r\nLavasoft Trojan.GenericKD.41368668\r\nMcAfee RDN/Generic PWS.tf\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a\r\nPage 8 of 11\n\nNANOAV Trojan.Win64.Alreay.hoqvyj\r\nQuick Heal Trojan.Alreay\r\nSophos Troj/Alreay-A\r\nTACHYON Unknown-Type/Alreay.210944\r\nZillya! Trojan.Alreay.Win32.91\r\nYARA Rules\r\nrule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance\r\nscreencapture spyware trojan\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10301706.r1.v1\"\r\n       Date = \"2020-08-11\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan\"\r\n       Family = \"ECCENTRICBANDWAGON\"\r\n       Description = \"Detects strings in ECCENTRICBANDWAGON proxy tool\"\r\n       MD5_1 = \"d45931632ed9e11476325189ccb6b530\"\r\n       SHA256_1 = \"efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e\"\r\n       MD5_2 = \"acd15f4393e96fe5eb920727dc083aed\"\r\n       SHA256_2 = \"32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8\"\r\n       MD5_3 = \"34404a3fb9804977c6ab86cb991fb130\"\r\n       SHA256_3 = \"c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec\"\r\n       MD5_4 = \"3122b0130f5135b6f76fca99609d5cbe\"\r\n       SHA256_4 = \"9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e\"\r\n   strings:\r\n       $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }\r\n       $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }\r\n       $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }\r\n       $sn4 = \"%s\\\\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d\" wide ascii nocase\r\n       $sn5 = \"c:\\\\windows\\\\temp\\\\TMP0389A.tmp\" wide ascii nocase\r\n   condition:\r\n       any of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-04-08 07:26:25-04:00\r\nImport Hash b113cba285f3c4ed179422f54692f4e3\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nfd81e5f6ab156dcdba2e2b92826ca192 header 1024 3.015020\r\n88ecd4fac45e45b294de415ca514a93c .text 137728 6.457660\r\naf0dab081123c1ad835c86f134138e7f .rdata 57344 5.118317\r\ne7c661026f7ecf701bbcbdd15ff2b825 .data 3584 2.244033\r\n4b406030a4a3dcaea845c14124010691 .pdata 8192 5.172064\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a\r\nPage 9 of 11\n\nMD5 Name Raw Size Entropy\r\nf623a10ca467aac404ec6fda8e4810d4 .gfids 512 2.000422\r\n3695113543a23c53791caa70b4bd8874 .rsrc 512 4.724729\r\nf9f31f1689409c8834b7f0c28d948a65 .reloc 2048 4.924204\r\nDescription\r\nThis sample is nearly identical to \"c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec\" with the\r\nexception that it RC4 encrypts some of its strings, uses different log files, and has a simple cleanup routine.\r\nThe following strings are RC4 encrypted with the key “key”:\r\n--Begin RC4 encrypted strings--\r\nTrendMicroUpdate\r\nc:\\windows\\temp\\TMP0389A.tmp\r\nc:\\windows\\temp\\tmp1105.tmp\r\n[CLIPBOARD]\r\n[/CLIPBOARD]\r\n--End RC4 encrypted strings--\r\nThis malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs\r\ncan be found in C:\\windows\\temp\\TMP0389A.tmp.\r\n--Begin log files--\r\n1. Keylog: %temp%\\TrendMicroUpdate\\update_\u003cUSERNAME\u003e\r\n2. Screenshots: %temp%\\TrendMicroUpdate\\update_\u003cMMDD\u003e_\u003cHHMMSSl\u003e\r\n3. Log Intervals: c:\\windows\\temp\\tmp1105.tmp\r\n--End log files--\r\nThis malware creates 3 threads to populate the log files listed above. Each one will continue to execute until the file\r\nC:\\windows\\temp\\tmp0207 contains a zero in a particular location. At this point, the program will signal an exit to the other\r\nthreads and begin a cleanup thread. The cleanup thread will delete C:\\windows\\temp\\tmp0207 and then call\r\nWinExec(cmd.exe /c taskkill /f /im explorer.exe). This will crash explorer.exe, which could potentially alert a user who was\r\nusing the device at the time.\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a\r\nPage 10 of 11\n\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" ], "report_names": [ "ar20-239a" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434152, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d3b35b18e3741c7d9828405cf06ff2c051c2fc4e.pdf", "text": "https://archive.orkl.eu/d3b35b18e3741c7d9828405cf06ff2c051c2fc4e.txt", "img": "https://archive.orkl.eu/d3b35b18e3741c7d9828405cf06ff2c051c2fc4e.jpg" } }