{ "id": "61309beb-f6e1-4cfe-867e-a7034311ecb8", "created_at": "2026-04-06T00:15:58.602504Z", "updated_at": "2026-04-10T03:38:19.487877Z", "deleted_at": null, "sha1_hash": "e553083dd46f0a8dcf0bc0a12b5265d6973b7a1c", "title": "MAR-10265965-1.v1 – North Korean Trojan: BISTROMATH | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 119273, "plain_text": "MAR-10265965-1.v1 – North Korean Trojan: BISTROMATH | CISA\r\nPublished: 2020-02-14 · Archived: 2026-04-05 16:51:10 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the\r\nFederal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners,\r\nDHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has\r\nbeen identified as BISTROMATH. The U.S. Government refers to malicious cyber activity by the North Korean government\r\nas HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.\r\nDHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government\r\nmalicious cyber activity.\r\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended\r\nmitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the\r\nCybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the\r\nhighest priority for enhanced mitigation.\r\nThis report looks at multiple versions of a full-featured RAT implant executable and multiple versions of the CAgent11 GUI\r\nimplant controller/builder. These samples performs simple XOR network encoding and are capable of many features\r\nincluding conducting system surveys, file upload/download, process and command execution, and monitoring the\r\nmicrophone, clipboard, and the screen. The GUI controllers allow interaction with the implant as well as the option to\r\ndynamically build new implants with customized options. The implants are loaded with a trojanized executable containing a\r\nfake bitmap which decodes into shellcode which loads the embedded implant.\r\nFor a downloadable copy of IOCs, see MAR-101265965-1.v1.stix.\r\nSubmitted Files (5)\r\n04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30 (96071956D4890AEBEA14ECD8015617...)\r\n1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 (688890DDBF532A4DE7C83A58E6AA59...)\r\n618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6 (0AE8A7B6B4D70C0884095629FC02C1...)\r\n738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 (C51416635E529183CA5337FADE8275...)\r\nb6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32 (26520499A3FC627D335E34586E99DE...)\r\nAdditional Files (2)\r\n133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f (a21171923ec09b9569f2baad496c9e...)\r\n43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c (83833f8dbdd6ecf3a1212f5d1fc3d9...)\r\nIPs (1)\r\n159.100.250.231\r\nFindings\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 1 of 24\n\n1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39\r\nTags\r\nbackdooremotettrojan\r\nDetails\r\nName 688890DDBF532A4DE7C83A58E6AA594F\r\nName ss.exe\r\nSize 1102926 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 688890ddbf532a4de7c83a58e6aa594f\r\nSHA1 d8f6a7f32c929ce9458691447ff1cf6d180588c8\r\nSHA256 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39\r\nSHA512 8484bea6adf27c2323632c3e94f91eb313e341622b5696b0d24105be1f24fa356f5fceb8fcf691e2d309fd24f7d8bb41fd7b682c29193128a\r\nssdeep 24576:kgWxnOH3vvS+7nD03glQ1J6cS2lvyip5HkRpB7T4IRMh3y:kgWZMvSKnY3DJLSoORT7ThAC\r\nEntropy 7.951069\r\nAntivirus\r\nAhnlab Trojan/Win32.Bmdoor\r\nAntiy Trojan[Backdoor]/Win32.Androm\r\nAvira TR/Injector.ukfuc\r\nBitDefender Trojan.GenericKD.41987827\r\nClamAV Win.Trojan.Agent-7376538-0\r\nCyren W32/Trojan.IZTF-2035\r\nESET a variant of Win32/Injector.DQTY trojan\r\nEmsisoft Trojan.GenericKD.41987827 (B)\r\nIkarus Trojan.Win32.Injector\r\nK7 Riskware ( 0040eff71 )\r\nMcAfee Trojan-Injector.c\r\nMicrosoft Security Essentials Trojan:Win32/Agentesla!MTB\r\nNANOAV Trojan.Win32.Androm.ghyuau\r\nSophos Troj/Inject-ETF\r\nSymantec Backdoor.Tidserv\r\nSystweak trojan.injector\r\nTACHYON Backdoor/W32.Androm.1102926\r\nTrendMicro TROJ_FR.7170E263\r\nTrendMicro House Call TROJ_FR.7170E263\r\nVirusBlokAda Backdoor.Androm\r\nZillya! Backdoor.Androm.Win32.44606\r\nYARA Rules\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 2 of 24\n\nrule CryptographyFunction    \r\n{\r\n   meta:\r\n       author = \"CISA trusted 3rd party\"\r\n       incident = \"10271944.r1.v1\"\r\n       date =    \"2019-12-25\"\r\n       category = \"Hidden_Cobra\"\r\n       family = \"HOTCROISSANT\"\r\n   strings:\r\n       $ALGO_crypto_1 = { 8A [1-5] 32 [1-4] 32 [1-4] 32 [1-4] 88 [1-5] 8A [1-4] 32 [1-4] 22 [1-4] 8B [1-5] 8D [3-7]\r\n33 [1-4] 81 [3-7] C1 [1-5] C1 [1-5] 0B [1-4] 8D [1-5] 33 [1-4] 22 [1-4] C1 [1-5] 33 [1-4] 32 [1-4] 8B [1-4] 83 [1-5]\r\nC1 [1-5] 33 [1-4] C1 [1-5] C1 }\r\n   condition:\r\n       uint16(0) == 0x5A4D and any of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2008-01-17 10:34:19-05:00\r\nImport Hash 68d3c5fd0c41042f190fa12a4eebfe1b\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n0b8ab9af886c4161371944bd46af685d header 1024 2.484025\r\n0cc984b88cda683bad52d886fbadf22d .text 77824 6.585222\r\nd7200a9095f81e46d89eb2175a7d16ba .rdata 21504 4.940483\r\n56eae295cdc645a889cc51643c19ca1c .data 5632 3.200450\r\n31d4e62663767a64bd72b957df2bed2e .rsrc 1536 4.029623\r\nc7a9818fe1b1f64be18f67db25dbed6d .reloc 7680 4.982554\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n1ea6b3e99b... Connected_To 159.100.250.231\r\n1ea6b3e99b... Contains 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c\r\nDescription\r\nThe samples use a PlanetCPP.com ‘RichEdit example’ executable to obfuscate calling a decryption function which decrypts\r\nan embedded ‘fake’ bitmap image into the configuration and shellcode. When the malicious function is called, it\r\ndeobfuscates API pointers, loads the full file into memory, calculates an offset into the memory to a ‘fake’ bitmap image,\r\ndecodes the image; which becomes configuration options and shellcode and then executes the shellcode.\r\nThe embedded shellcode has many selectable options.\r\n----------Begin Shellcode Options----------\r\n- option00: Embedded vs Downloaded payload\r\n   0 -\u003e payload embedded within own file at offset (option27 + option28 + option22)\r\n   1 -\u003e Download payload from url \u003coption30\u003e to %temp$\\\u003coption31\u003e\\RGID3D88.tmp\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 3 of 24\n\n- option01: True -\u003e check for vm artifacts:\r\n   registry checks:\r\n       VMWARE Scsi device\r\n       VBOX Scsi device\r\n       QEMU Scsi device\r\n       SOFTWARE\\Vmware,Inc.\\Vmware_Tools\r\n       HARDWARE\\Description\\System\\SystemBiosVersion == \"VBOX\"\r\n       HARDWARE\\Description\\System\\SystemBiosVersion == \"QEMU\"\r\n       HARDWARE\\Description\\System\\SystemBiosVersion == \"BOCHS\"\r\n       HARDWARE\\Description\\System\\VideoBiosVersion == \"VIRTUALBOX\"\r\n       HARDWARE\\Description\\System\\SystemBiosDate == 06/23/99\r\n       SOFTWARE\\Oracle\\VirtualBox_Guest_Additions        \r\n       HARDWARE\\ACPI\\DSDT\\VBOX_\r\n       HARDWARE\\ACPI\\FADT\\VBOX__\r\n       HARDWARE\\ACPI\\RSDT\\VBOX__\r\n       SYSTEM\\ControlSet001\\Services\\VBoxGuest\r\n       SYSTEM\\ControlSet001\\Services\\VBoxMouse\r\n       SYSTEM\\ControlSet001\\Services\\VBoxService\r\n       SYSTEM\\ControlSet001\\Services\\VBoxSF\r\n       SYSTEM\\ControlSet001\\Services\\VBoxVideo\r\n   file checks:\r\n       C:\\WINDOWS\\system32\\drivers\\vmmouse.sys\r\n       C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys\r\n       \\\\.\\HGFS\r\n       \\\\.\\vmci\r\n       C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys\r\n       C:\\WINDOWS\\system32\\drivers\\VBoxGuest.sys\r\n       C:\\WINDOWS\\system32\\drivers\\VBoxSF.sys\r\n       C:\\WINDOWS\\system32\\drivers\\VBoxVideo.sys\r\n       C:\\WINDOWS\\system32\\vboxdisp.dll\r\n       C:\\WINDOWS\\system32\\vboxhook.dll\r\n       C:\\WINDOWS\\system32\\vboxmrxnp.dll\r\n       C:\\WINDOWS\\system32\\vboxogl.dll\r\n       C:\\WINDOWS\\system32\\vboxoglarrayspu.dll\r\n       C:\\WINDOWS\\system32\\vboxoglcrutil.dll\r\n       C:\\WINDOWS\\system32\\vboxoglerrorspu.dll\r\n       C:\\WINDOWS\\system32\\vboxoglfeedbackspu.dll\r\n       C:\\WINDOWS\\system32\\vboxoglpackspu.dll\r\n       C:\\WINDOWS\\system32\\vboxoglpassthroughspu.dll\r\n       C:\\WINDOWS\\system32\\vboxservice.exe\r\n       C:\\WINDOWS\\system32\\vboxtray.exe\r\n       C:\\WINDOWS\\system32\\VBoxControl.exe\r\n       C:\\program_files\\oracle\\virtualbox_guest_additions\r\n       \\\\.\\VBoxMiniRdrDN\r\n       \\\\.\\pipe\\VBoxMiniRdDN\r\n       \\\\.\\VBoxTrayIPC\r\n       \\\\.\\pipe\\VBoxTrayIPC        \r\n   Network Adapter checks:\r\n       Check for Vmware MAC addresses\r\n       Check for VirtualBox MAC addresses\r\n       Check for VMware network adapter\r\n   Window Checks:\r\n       VBoxTrayToolWndClass\r\n       VBoxTrayToolWnd\r\n   Process Checks:\r\n       vboxservice.exe\r\n       vboxtray.exe\r\n   Loaded DLLs:\r\n       vmcheck.dll\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 4 of 24\n\n- option02: True -\u003e check for sandbox artifacts:\r\n   Verify spin loops aren't skipped\r\n   Verify kernel32 doesn't contain export \"wine_get_unix_file_name\"\r\n   Verify Numa api calls are not bypassed\r\n   Loaded DLLs:\r\n       SbieDll.dll\r\n       api_log.dll\r\n       dir_watch.dll\r\n       dbghelp.dll\r\n       wpespy.dll\r\n   registry checks:\r\n       SOFTWARE\\Wine\r\n   file checks:\r\n       C:\\sandbox\\sandbox.exe    \r\n       C:\\sandbox\\sbfwe.dll    \r\n   username checks:\r\n       SANDBOX\r\n       VIRUS\r\n       MALWARE\r\n       SCHMIDTI\r\n       CURRENTUSER\r\n       ANDY\r\n   current directory checks:\r\n       VIRUS\r\n       SANDBOX\r\n       SAMPLE\r\n- option03: True -\u003e check for debugging artifacts:    \r\n   API calls:\r\n       IsDebuggerPresent\r\n       CheckRemoteDebuggerPresent\r\n       NtQueryInformationProcess\r\n       GetThreadContext\r\n       OutputDebugString\r\n- option04: Check if certain processes are running:\r\n   0 -\u003e ignored\r\n   1 -\u003e exit if specific processes are running\r\n   2 -\u003e exit if specific processes are not running\r\n   parses option31_array_+0x200 for a list of ;,: separated process names\r\n- option05: Queries Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall keys\r\n   exits if return value is != 0\r\n- option06: Check for specific languages\r\n   0 -\u003e ignored\r\n   1 -\u003e exit if current language is found in list\r\n   2 -\u003e exit if current language is not found in list\r\n   parses option31_array_+0x4b0 for a list of ;,: separated languages\r\n- option07: Check for specific usernames\r\n   0 -\u003e ignored\r\n   1 -\u003e exit if current username is found in list\r\n   2 -\u003e exit if current username is not found in list\r\n   parses option31_array_+0x6b8 for a list of ;,: separated usernames\r\n- option08: Check for specific computernames\r\n   0 -\u003e ignored\r\n   1 -\u003e exit if current computernames is found in list\r\n   2 -\u003e exit if current computernames is not found in list\r\n   parses option31_array_+0x8ac for a list of ;,: separated computernames\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 5 of 24\n\n- option09: Something with querying Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall keys\r\n   exits if return value is \u003c option09_value\r\n- option10: integer value -\u003e exits if there are fewer than this many processes running\r\n- option11-14: Check for system/drive info\r\n   11==0x001 -\u003e exit if number of processors \u003c= option12\r\n   11==0x010 -\u003e exit if total physical memory \u003c= option13\r\n   11==0x100 -\u003e exit if total harddisk space \u003c= option14\r\n- option12/27/28: if True -\u003e exploit dll hijack in cliconfg.exe (SQL Server Client Network Utility)\r\n   dumps a number (option28) of bytes from an offset (option27) of this file into %temp%\\ntwdblib.dll\r\n   creates a Software\\Claiomh registry key\r\n   executes cliconfg.exe (which loads ntwdblib.dll)\r\n- option16: Set EnableLUA registry key\r\n   SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA to \u003coption16\u003e\r\n- option17: Create Persistence\r\n   0 -\u003e ignored\r\n   1 -\u003e Add registry key to Software\\Microsoft\\Windows\\CurrentVersion\\Run using a name from option31_array_+0x960\r\n   2 -\u003e Copy self into Startup folder\r\n   3 -\u003e Create an hourly Scheduled Task called \"System Backup\"\r\n- option18/23: Process Hollowing vs Drop/Execute\r\n   == 0 -\u003e Do Process Hollowing\r\n   != 0 -\u003e Dump payload to file and execute directly:\r\n       write to %temp%\\RT5380.exe using own file offset (option27 + option28 + option22) and execute\r\n       write to %temp%\\\u003coption30\u003e using own file offset (option27 + option28 + option22) and execute\r\n       check option23:\r\n- ==0 -\u003e ignored\r\n- !=0 -\u003e delete self and replace self with the dropped file\r\n- option19: Process to create/hollow/inject/execute\r\n   0 -\u003e self\r\n   1 -\u003e svchost.exe\r\n   2 -\u003e conhost.exe\r\n   3 -\u003e explorer.exe\r\n   4 -\u003e value of \"http\\shell\\open\\command\" registry key\r\n   5 -\u003e \u003coption33\u003e\r\n- option20: Sleep timer\r\n   Milliseconds to sleep before doing process hollowing\r\n- option21/26: Kill timer\r\n   0 -\u003e ignored\r\n   1 -\u003e if timestamp of module + \u003coption26\u003e \u003e= currentTime -\u003e remove persistance, delete self, exit process\r\n- option29/34/35: move file to desired location, delete old file, and execute from new location\r\n   additional path is in option34\r\n   new filename is in option35\r\n   0 -\u003e C:\\\r\n   1 -\u003e %windir%\r\n   2 -\u003e %system%\r\n   3 -\u003e %programfiles%\r\n   4 -\u003e %programfiles%\\Common Files\\\r\n   5 -\u003e C:\\ProgramData\\\r\n   6 -\u003e %userprofile%\r\n   7 -\u003e %userprofile%\\Documents\\\r\n   8 -\u003e %temp%\r\n   9 -\u003e %userprofile%\\Favorites\\\r\n   10 -\u003e %appdata%n\r\n   11 -\u003e %localappdata%\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 6 of 24\n\n- option36: char[40] - Unknown - Possibly adds a mutex to the hollowed process to enforce a single execution\r\n   Uses argument to create a named mutex\r\n   Injects additional code into the hollowed process (from offset 0x28c0)\r\n   Injects \u003coption36\u003e into the hollowed process\r\n   Creates another remote thread in the hollowed process pointing at offset 0x465a of the newly injected memory\r\n----------End Shellcode Options----------\r\nScreenshots\r\nFigure 1: Implant Functionality -\r\n618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6\r\nTags\r\ndropperemotetkeyloggerspywaretrojan\r\nDetails\r\nName 0AE8A7B6B4D70C0884095629FC02C19C\r\nName CAgent11.exe\r\nSize 13498368 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 0ae8a7b6b4d70c0884095629fc02c19c\r\nSHA1 9efa2d68932ff24cb18eb7e35aa5f91ce99596e8\r\nSHA256 618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6\r\nSHA512 08f724812cbeff4020ac3fb07cafec5cde17f53f4644d554351cf4056907a6363d5b21ed3720976820307b43a543e81c6cc27c241f4449fd9\r\nssdeep 196608:Klq/1ui17DaLU1l4O5dm/+f99FLOyomFHKnPG:GcvlmLMg/299F\r\nEntropy 5.658332\r\nAntivirus\r\nAhnlab Dropper/Win32.Keylogger\r\nAntiy Trojan[Spy]/Win32.Agent\r\nAvira HEUR/AGEN.1038092\r\nCyren W32/Agent.RBBJ-4429\r\nESET a variant of Win32/Spy.Agent.PUH trojan\r\nIkarus Trojan-Spy.Agent\r\nK7 Spyware ( 00555d821 )\r\nMcAfee Trojan-Injector.d\r\nMicrosoft Security Essentials Trojan:Win32/Emotet\r\nNANOAV Trojan.Win32.Graftor.ggzicq\r\nNetGate Trojan.Win32.Malware\r\nSophos Troj/Agent-BCXS\r\nSymantec Trojan Horse\r\nSystweak malware.keylogger\r\nTACHYON Trojan/W32.Keylogger.13498368\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 7 of 24\n\nVirusBlokAda TrojanSpy.Agent\r\nZillya! Trojan.Agent.Win32.1169060\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-03-21 21:12:17-04:00\r\nImport Hash c4406c66f7ca84ffb881d843c49acbd6\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\ne7e02cd4a189cea5efaa8fb36509aa45 header 1024 3.530105\r\nd41d8cd98f00b204e9800998ecf8427e .textbss 0 0.000000\r\n5db50cefbb12a73d10aad429548befe7 .text 7047680 5.565086\r\ne9a63040b7f3e75b5746d8202d8594f5 .rdata 904704 4.415613\r\n1e815bbe0c5cadf4953bbaac6259dcaa .data 40448 4.299279\r\n16342b710a408579ee34f3ccf9927331 .idata 28672 5.161732\r\nc573bd7cea296a9c5d230ca6b5aee1a6 .tls 1024 0.011174\r\n011d6c8672f924dc710a68acb6bc74f9 .00cfg 512 0.061163\r\n867de3faa85f377519582ed29a83384c .rsrc 5123072 4.951562\r\ne74f13482e13eb316d544b69a046ff15 .reloc 351232 6.011950\r\nPackers/Compilers/Cryptors\r\nDescription\r\nSee analysis for \"04D70BB249206A006F83DB39BBE49FF6E520EA329E5FBB9C758D426B1C8DEC30\".\r\nImplants built with sample \"04D70BB249206A006F83DB39BBE49FF6E520EA329E5FBB9C758D426B1C8DEC30\" are\r\nnot compatible with this controller, and vice versa.\r\nb6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32\r\nTags\r\nbackdooremotettrojan\r\nDetails\r\nName 26520499A3FC627D335E34586E99DE7A\r\nName ADManager.exe\r\nSize 1120318 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 26520499a3fc627d335e34586e99de7a\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 8 of 24\n\nSHA1 df10c097e42dbe7ea4478a984c5e2ab586147519\r\nSHA256 b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32\r\nSHA512 898ab1a1cd5a731e94a7b4c0a274e81092fe6de2ea888b3db2d22cf4d0bacbbb36f486152ff10f61f054091aee421f00d89a8741fce0f370cc\r\nssdeep 24576:3gWPfTO4H59Z6PTvnh2gf2JfvoioZ74XKBpNCY+SOToKMcxGa52w:3gW3S4Z9ATcggox4wpwYq9Mcx3B\r\nEntropy 7.953591\r\nAntivirus\r\nAhnlab Backdoor/Win32.Androm\r\nAntiy Trojan[Backdoor]/Win32.Androm\r\nAvira TR/Injector.cskrn\r\nBitDefender Trojan.GenericKD.41987802\r\nClamAV Win.Trojan.Agent-7376533-0\r\nCyren W32/Androm.DKHG-0510\r\nESET a variant of Win32/Injector.DQTY trojan\r\nEmsisoft Trojan.GenericKD.41987802 (B)\r\nIkarus Trojan.Win32.Injector\r\nK7 Riskware ( 0040eff71 )\r\nMcAfee Trojan-Injector.c\r\nMicrosoft Security Essentials Trojan:Win32/Agentesla!MTB\r\nNANOAV Trojan.Win32.Androm.ggadbc\r\nSophos Troj/Inject-ETF\r\nSymantec Trojan Horse\r\nSystweak trojan.injector\r\nTACHYON Backdoor/W32.Androm.1120318\r\nTrendMicro TROJ_FR.7170E263\r\nTrendMicro House Call TROJ_FR.7170E263\r\nVirusBlokAda Backdoor.Androm\r\nZillya! Backdoor.Androm.Win32.44606\r\nYARA Rules\r\nrule CryptographyFunction    \r\n{\r\n   meta:\r\n       author = \"CISA trusted 3rd party\"\r\n       incident = \"10271944.r1.v1\"\r\n       date =    \"2019-12-25\"\r\n       category = \"Hidden_Cobra\"\r\n       family = \"HOTCROISSANT\"\r\n   strings:\r\n       $ALGO_crypto_1 = { 8A [1-5] 32 [1-4] 32 [1-4] 32 [1-4] 88 [1-5] 8A [1-4] 32 [1-4] 22 [1-4] 8B [1-5] 8D [3-7]\r\n33 [1-4] 81 [3-7] C1 [1-5] C1 [1-5] 0B [1-4] 8D [1-5] 33 [1-4] 22 [1-4] C1 [1-5] 33 [1-4] 32 [1-4] 8B [1-4] 83 [1-5]\r\nC1 [1-5] 33 [1-4] C1 [1-5] C1 }\r\n   condition:\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 9 of 24\n\nuint16(0) == 0x5A4D and any of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-03-26 09:21:10-04:00\r\nImport Hash 68d3c5fd0c41042f190fa12a4eebfe1b\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\na507172c7e89d3f88c70c4fd6827a522 header 1024 2.476553\r\n0cc984b88cda683bad52d886fbadf22d .text 77824 6.585222\r\nd7200a9095f81e46d89eb2175a7d16ba .rdata 21504 4.940483\r\n56eae295cdc645a889cc51643c19ca1c .data 5632 3.200450\r\n58dbdc33cb7f42b5e3a9f0fcc94d6b1f .rsrc 1024 4.796047\r\nc7a9818fe1b1f64be18f67db25dbed6d .reloc 7680 4.982554\r\nPackers/Compilers/Cryptors\r\nRelationships\r\nb6811b4202... Connected_To 159.100.250.231\r\nb6811b4202... Contains 133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f\r\nDescription\r\nSee analysis for file \"1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39\" for additional details.\r\n738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790\r\nTags\r\ntrojan\r\nDetails\r\nName C51416635E529183CA5337FADE82758A\r\nName server.exe\r\nSize 947200 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 c51416635e529183ca5337fade82758a\r\nSHA1 830368d88b661d09c084e484713effb8d230d328\r\nSHA256 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790\r\nSHA512 244b67e0b9e9ab2fa6ccceeb4ad71207f1d8371af9c69af93bcc15cc8b592aca54e9c241d439b94ed28923d4622050fccdc38b326a8d15b82\r\nssdeep 24576:9oV9SPwODditnxk93QKTrCEgqAGYOEgJZ+0Mn:9o2I2du23QxErv7ESZ+7n\r\nEntropy 6.703705\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 10 of 24\n\nAntivirus\r\nAhnlab Malware/Win32.Generic\r\nAntiy Trojan/Win32.AGeneric\r\nAvira HEUR/AGEN.1038092\r\nBitDefender Trojan.GenericKD.32683846\r\nClamAV Win.Trojan.Agent-7376468-0\r\nCyren W32/Agent.KUBI-8127\r\nESET a variant of Win32/Agent.SSC trojan\r\nEmsisoft Trojan.GenericKD.32683846 (B)\r\nIkarus Trojan.Win32.Agent\r\nK7 Trojan ( 0027657e1 )\r\nMcAfee Generic Trojan.sh\r\nNANOAV Trojan.Win32.TrjGen.ghyubn\r\nSophos Troj/Agent-BCXS\r\nSymantec Trojan Horse\r\nSystweak malware.passwordstealer\r\nTrendMicro TROJ_FR.7170E263\r\nTrendMicro House Call TROJ_FR.7170E263\r\nVirusBlokAda BScope.TrojanSpy.Agent\r\nZillya! Trojan.Agent.Win32.1168332\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-04-13 23:44:03-04:00\r\nImport Hash d31e404296b957729148721e11f3bc88\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n1db5d7f5d8e2fa35f4077d3c28b60ae7 header 1024 3.229935\r\n6f6469c660281de2c72fa3685d55a8ec .text 710656 6.655052\r\n0847400b5430782ad644a30cd8240c73 .rdata 167424 5.776485\r\n77ab2f92d6177b9e39430447aa595073 .data 37376 5.315603\r\n1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393\r\n1704ffd93e9d463dc42784bc03bbfd5d .gfids 512 2.779799\r\n850aa99c8c1a85dc7545811d66bb0c17 .rsrc 512 4.717679\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 11 of 24\n\nMD5 Name Raw Size Entropy\r\n48da542e50cc8e12bdb9cab38a8ce0cb .reloc 29184 6.576636\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n738ba44188... Connected_To 159.100.250.231\r\nDescription\r\nThis sample is a full-featured RAT executable.\r\nSee analysis for file \"1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39\" for additional details.\r\nThis sample varies slightly in the following ways.\r\nVictim_info for this version contains Unicode strings. The RAT is controllable by an unknown variant of CAgent.exe.\r\n04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30\r\nTags\r\ndropperemotetkeyloggerspywaretrojan\r\nDetails\r\nName 96071956D4890AEBEA14ECD8015617CC\r\nName CAgent11.exe\r\nSize 7014400 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 96071956d4890aebea14ecd8015617cc\r\nSHA1 49e16180795034a4888fff776968e29871f79340\r\nSHA256 04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30\r\nSHA512 29abd5fa0c24e42916631f830b6860027dcefdfd320978bee389e55f4f04278668ec4cfb67e5b1c8b7133338cc0fb09ffae28c5cf6d5226d1f\r\nssdeep 98304:SC6l4uHxECiYwS2BsszjfisjJiBg1pDClmMFLOAkGkzdnEVomFHKnP:P44uHi0mFi+1p+FLOyomFHKnP\r\nEntropy 5.907837\r\nAntivirus\r\nAhnlab Dropper/Win32.Keylogger\r\nAvira HEUR/AGEN.1038092\r\nBitDefender Trojan.GenericKD.32683845\r\nCyren W32/Trojan.KVTC-7019\r\nESET a variant of Win32/Spy.Agent.PUH trojan\r\nEmsisoft Trojan.GenericKD.32683845 (B)\r\nIkarus Trojan-Spy.Agent\r\nK7 Spyware ( 00555d821 )\r\nMcAfee Trojan-Injector.d\r\nMicrosoft Security Essentials Trojan:Win32/Emotet\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 12 of 24\n\nNANOAV Trojan.Win32.TrjGen.ghyuap\r\nSophos Troj/Agent-BCXS\r\nSymantec Trojan Horse\r\nSystweak malware.keylogger\r\nTACHYON Trojan/W32.Keylogger.7014400\r\nTrendMicro TROJ_FR.7170E263\r\nTrendMicro House Call TROJ_FR.7170E263\r\nVirusBlokAda TrojanSpy.Agent\r\nZillya! Trojan.Agent.Win32.1168788\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-03-26 00:28:24-04:00\r\nImport Hash 0937a296014c778f116e3990f06e314b\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\na9fb26d3d4f4a80f2c2f7aeb1201325a header 1024 3.391911\r\nc788578d4f02ac011ffabd20db4506f3 .text 1619456 6.522579\r\n7a1b03c4f7501d6f82d34a01fe9cf6b7 .rdata 348160 5.245418\r\n50c4f4eab880975227b9b4d454941979 .data 24064 4.732755\r\nb9af73df5ec7fb7a68b1c00d83e6b404 .gfids 111104 4.230152\r\n52f93ebec3bc0c9da8e85ddf5ad812f4 .giats 512 0.155178\r\n1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393\r\ne0376d74c0a0f746949b4647d35ef424 .rsrc 4774400 5.470347\r\n9011be24e5ab8066360bd7d0af07cea6 .reloc 135168 6.491093\r\nPackers/Compilers/Cryptors\r\nDescription\r\nThis sample is a GUI implant controller titled “Cyber Agent v11.0”. It is capable of dynamically building new bot payloads\r\nwith the following options:\r\n--------Begin Payload Options----------\r\nCallback IP\r\nCallback Port\r\nBeacon Interval\r\nOutput Path\r\n--------End Payload Options----------\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 13 of 24\n\nvictim_info (see analysis for \"43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c\") is displayed for\r\neach implant beacon received. The controller can establish Remote Desktop viewer, drive enumeration, file\r\nupload/download, list processes and services, reverse shell, microphone capture and recording, keylogger, browser activity,\r\ncached passwords, and DLL loading and unloading. The controller has the ability to provide implants with an Update URL\r\nas well as an option to uninstall all bots.\r\n159.100.250.231\r\nPorts\r\n80 TCP\r\n8080 TCP\r\nWhois\r\n% IANA WHOIS server\r\n% for more information on IANA, visit http://www.iana.org\r\n% This query returned 1 object\r\nrefer:        whois.arin.net\r\ninetnum:     159.0.0.0 - 159.255.255.255\r\norganisation: Administered by ARIN\r\nstatus:     LEGACY\r\nwhois:        whois.arin.net\r\nchanged:     1993-05\r\nsource:     IANA\r\n# whois.arin.net\r\nNetRange:     159.100.0.0 - 159.101.255.255\r\nCIDR:         159.100.0.0/15\r\nNetName:        RIPE-ERX-159-100-0-0\r\nNetHandle:     NET-159-100-0-0-1\r\nParent:         NET159 (NET-159-0-0-0-0)\r\nNetType:        Early Registrations, Transferred to RIPE NCC\r\nOriginAS:    \r\nOrganization: RIPE Network Coordination Centre (RIPE)\r\nRegDate:        2003-10-29\r\nUpdated:        2003-10-29\r\nComment:        These addresses have been further assigned to users in\r\nComment:        the RIPE NCC region. Contact information can be found in\r\nComment:        the RIPE database at http://www.ripe.net/whois\r\nRef:            https://rdap.arin.net/registry/ip/159.100.0.0\r\nResourceLink: https://apps.db.ripe.net/search/query.html\r\nResourceLink: whois.ripe.net\r\nOrgName:        RIPE Network Coordination Centre\r\nOrgId:         RIPE\r\nAddress:        P.O. Box 10096\r\nCity:         Amsterdam\r\nStateProv:    \r\nPostalCode:     1001EB\r\nCountry:        NL\r\nRegDate:        \r\nUpdated:        2013-07-29\r\nRef:            https://rdap.arin.net/registry/entity/RIPE\r\nReferralServer: whois://whois.ripe.net\r\nResourceLink: https://apps.db.ripe.net/search/query.html\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 14 of 24\n\nOrgTechHandle: RNO29-ARIN\r\nOrgTechName: RIPE NCC Operations\r\nOrgTechPhone: +31 20 535 4444\r\nOrgTechEmail: hostmaster@ripe.net\r\nOrgTechRef:    https://rdap.arin.net/registry/entity/RNO29-ARIN\r\nOrgAbuseHandle: ABUSE3850-ARIN\r\nOrgAbuseName: Abuse Contact\r\nOrgAbusePhone: +31205354444\r\nOrgAbuseEmail: abuse@ripe.net\r\nOrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE3850-ARIN\r\n# whois.ripe.net\r\ninetnum:        159.100.245.0 - 159.100.255.255\r\nnetname:        Akenes\r\ndescr:         Exoscale Open Cloud DK2\r\ndescr:         Exoscale cloud hosting https://www.exoscale.ch\r\ndescr:         *******************************************************\r\ndescr:         * These IPs are customer assigned STATIC IPs.\r\ndescr:         * In case of abuse, please do NOT block entire\r\ndescr:         * network as IPs of this block are assigned as /32\r\ndescr:         * to individual customers.\r\ndescr:         *******************************************************\r\ndescr:         * For abuse-complaints please use\r\ndescr:         * only abuse@exoscale.ch.\r\ndescr:         *******************************************************\r\ncountry:        CH\r\nadmin-c:        AC22866-RIPE\r\ntech-c:         LLL1007-RIPE\r\nstatus:         LEGACY\r\nmnt-by:         Exoscale-MNT\r\ncreated:        2017-11-20T10:37:49Z\r\nlast-modified: 2017-11-20T10:37:49Z\r\nsource:         RIPE\r\nperson:         Antoine COETSIER\r\naddress:        Boulevard de Grancy 19A\r\naddress:        1006 Lausanne\r\naddress:        SWITZERLAND\r\nphone:         +41 58 255 00 66\r\nnic-hdl:        AC22866-RIPE\r\nmnt-by:         Exoscale-MNT\r\ncreated:        2013-02-08T14:10:06Z\r\nlast-modified: 2019-04-11T05:30:08Z\r\nsource:         RIPE # Filtered\r\nperson:         Loic Lambiel\r\naddress:        Boulevard de Grancy 19A\r\naddress:        1006 Lausanne\r\naddress:        Switzerland\r\nphone:         +41 58 255 00 66\r\nnic-hdl:        LLL1007-RIPE\r\nmnt-by:         Exoscale-MNT\r\ncreated:        2013-02-15T10:16:52Z\r\nlast-modified: 2019-04-11T05:31:04Z\r\nsource:         RIPE # Filtered\r\n% Information related to '159.100.248.0/21AS61098'\r\nroute:         159.100.248.0/21\r\norigin:         AS61098\r\nmnt-by:         Exoscale-MNT\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 15 of 24\n\ncreated:        2016-12-14T10:12:52Z\r\nlast-modified: 2016-12-14T10:12:52Z\r\nsource:         RIPE\r\n% This query was served by the RIPE Database Query Service version 1.95.1 (WAGYU)\r\nRelationships\r\n159.100.250.231 Connected_From 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39\r\n159.100.250.231 Connected_From b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32\r\n159.100.250.231 Connected_From 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790\r\n159.100.250.231 Connected_From 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c\r\nDescription\r\nHard-coded C2 address used by these RATs.\r\n43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c\r\nTags\r\nkeyloggerspywaretrojan\r\nDetails\r\nName 83833f8dbdd6ecf3a1212f5d1fc3d9dd\r\nSize 905216 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 83833f8dbdd6ecf3a1212f5d1fc3d9dd\r\nSHA1 77a2272633eb64e4c16f8ea4466dba59ecc92292\r\nSHA256 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c\r\nSHA512 cda12a75b1d6524fe8856d6ef359ab58785e2c56ca4fec613b851a6730d24b8141dfdd00fba62f2865b8cc4606e85b258c02d71ccd45fcde7\r\nssdeep 24576:AECw5N98knVurfj9gbYX91XdKo1ldrtD9:AECwz9fqfj59NwuldrF\r\nEntropy 6.710436\r\nAntivirus\r\nAhnlab Trojan/Win32.KeyLogger\r\nAntiy Trojan/Win32.AGeneric\r\nAvira HEUR/AGEN.1038092\r\nBitDefender Gen:Variant.Graftor.679285\r\nClamAV Win.Trojan.Agent-7376468-0\r\nESET a variant of Win32/Spy.Agent.PUH trojan\r\nEmsisoft Gen:Variant.Graftor.679285 (B)\r\nIkarus Trojan-Spy.Agent\r\nK7 Spyware ( 00555d821 )\r\nNANOAV Trojan.Win32.Graftor.ggzicq\r\nSophos Troj/Agent-BCXS\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 16 of 24\n\nSymantec Heur.AdvML.B\r\nVirusBlokAda BScope.TrojanSpy.Agent\r\nZillya! Trojan.Agent.Win32.1170395\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2008-01-17 10:34:19-05:00\r\nImport Hash 3b7df90688bca84764a888c49f25e8b9\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n064a795c4019629fd03c3d47c823cd49 header 1024 3.330520\r\nec60b9f4b78b0f79ea9d15910baf3d8d .text 672768 6.660080\r\n3dd902a53e33d4f6b014f6a677620252 .rdata 164864 5.832569\r\n0c88a9a99d1c3cb1b61009a6acb2539e .data 37376 5.304517\r\n1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393\r\nd5ea2a2452a9733e2cc63487e98b387d .gfids 512 2.821174\r\nf42c4819230ff4b40b0e52850c134b08 .rsrc 512 4.708237\r\na1862d52a23162d56421552f09f1ca85 .reloc 27648 6.587842\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n43193c4efa... Contained_Within 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39\r\n43193c4efa... Connected_To 159.100.250.231\r\nDescription\r\nThis sample is a full-featured RAT executable contained within\r\n\"1EA6B3E99BBB67719C56AD07F5A12501855068A4A866F92DB8DCDEFAFFA48A39\".\r\nSee Figure 1 for full list of commands a hardcoded C2 address of 159.100.250.231 on port 8080 is contained within the\r\nsample. The RAT is controllable by CAgent.exe variant\r\n\"618A67048D0A9217317C1D1790AD5F6B044EAA58A433BD46EC2FB9F9FF563DC6\".\r\nThe Imports are obfuscated by prepending \"CARAT_\" to the API names.\r\nPackets are formatted in the following format:\r\n----------Begin Packet Formatting---------\r\n[OPCODE] [4 Bytes length of data] [data]\r\n----------Begin Packet Formatting---------\r\nPackets are encoded by performing an XOR on the data after the header with the XOR key 0x07. The implant initiates\r\ncallback to C2, then immediately sends its victim_info.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 17 of 24\n\n----------Begin Victim_Info----------\r\n•    Language\r\n•    Country\r\n•    Victim_ID\r\n•    Computer_Name\r\n•    User_Name\r\n•    Implant_Version = \"11.0\"\r\n•    Victim_IP\r\n•    System_Architecture\r\n•    Drive_Letters\r\n•    OS_Version\r\n----------End Victim_Info----------\r\n133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f\r\nTags\r\ntrojan\r\nDetails\r\nName a21171923ec09b9569f2baad496c9e16\r\nSize 922624 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 a21171923ec09b9569f2baad496c9e16\r\nSHA1 35ba8e39e6c8234ad55baf27130bb696179b7681\r\nSHA256 133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f\r\nSHA512 c1775b68b6b083323780150f6da654c6bcaf313b298fd243047402a0d0ec5631f8c90ed7ccc28ff4c1eaf2666e671b9c0f6bc068ca9e06557\r\nssdeep 12288:KsukuhRC+VmUmEViUUwsaXpx3U09S5j4J6dxLqm1JaSjyQiEyDlZk7SxTmgaA6i:pukuhRC+Vr24v3qhdDaSuQCBZk7SUA\r\nEntropy 6.678910\r\nAntivirus\r\nAhnlab Malware/Win32.Generic\r\nAntiy Trojan/Win32.AGeneric\r\nAvira HEUR/AGEN.1038092\r\nClamAV Win.Trojan.Agent-7376468-0\r\nESET a variant of Win32/Agent.SSC trojan\r\nSymantec Heur.AdvML.B\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-03-26 09:21:10-04:00\r\nImport Hash 80e9b5b96cb30be08b9f46dcd40ca0b6\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 18 of 24\n\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n480ee7622ef011b56ad9be1f520b53bb header 1024 3.124211\r\ne0689d923085269b1433eb46c62b9aad .text 698880 6.634137\r\ne1d4d4f7c07cb01481a7f937c1a399c5 .rdata 154112 5.641674\r\n5b25e16d6a60901096dd38e8d609656f .data 38912 5.185811\r\n1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393\r\n4dd9e4bd9bce353817d7013e17254399 .rsrc 512 4.717679\r\n6c01df76342b581365053b6550340347 .reloc 28672 6.610094\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n133820ebac... Contained_Within b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32\r\nDescription\r\nThis sample is a full-featured RAT executable contained within\r\n\"B6811B42023524E691B517D19D0321F890F91F35EBBDF1C12CBB92CDA5B6DE32\".\r\nSee analysis for file \"1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39\" for additional details.\r\nThis sample varies slightly in the following ways.\r\n----------Begin Packet Formatting---------\r\n[OPCODE][4 Bytes data length][4 Bytes unused][AUTH CODE 72 50 BF 9E][Data]\r\n----------End Packet Formatting---------\r\nThe implant initiates callback to C2, then waits for tasking (DOES NOT immediately send its victim_info) and the\r\nVictim_info for this version contains Unicode strings, it additionally adds UserGeoID to victim_info.\r\nThe sample attempts to connect to 159.100.250.231:8080 4 times, with 1 minute between attempts. If does not succeed, then\r\nattempts to connect to www.example.com 4 times, with 1 minute between attempts. This loop continues until a connection is\r\nmade.\r\nRelationship Summary\r\n1ea6b3e99b... Connected_To 159.100.250.231\r\n1ea6b3e99b... Contains 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c\r\nb6811b4202... Connected_To 159.100.250.231\r\nb6811b4202... Contains 133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f\r\n738ba44188... Connected_To 159.100.250.231\r\n159.100.250.231 Connected_From 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39\r\n159.100.250.231 Connected_From b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32\r\n159.100.250.231 Connected_From 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790\r\n159.100.250.231 Connected_From 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c\r\n43193c4efa... Contained_Within 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39\r\n43193c4efa... Connected_To 159.100.250.231\r\n133820ebac... Contained_Within b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32\r\nMitigation\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 19 of 24\n\nDisplayed below is a Python3 script used to decrypt and extract the embedded files:\r\n--Begin Decryption and Extraction Python3 Script--\r\nimport argparse\r\nimport struct\r\ndef truncate_nullterm_str(data):\r\n   null_index = data.find(b'\\x00')\r\n   truncated_str = data[:null_index].decode('utf-8')\r\n   return truncated_str\r\ndef decode(offset,buffer,length,key1,key2):\r\n   dec = b''\r\n   k3 = key1\r\n   key1 = key1 \u003e\u003e 1\r\n   while length \u003e 0:\r\n       k1 = key1\r\n       k2 = key2\r\n       dec += bytes([(buffer[offset] ^ k1 ^ k2 ^ k3) \u0026 0xff])\r\n       key1 = (key1 \u003e\u003e 8 | ((key1 * 8 ^ key1) \u0026 0x7f8) \u003c\u003c 0x14) \u0026 0xffffffff\r\n       k3 = (k3 \u0026 k2 ^ (k2 ^ k3) \u0026 k1)\r\n       key2 = (key2 \u003e\u003e 8 | (((key2 * 2 ^ key2) \u003c\u003c 4 ^ key2) \u0026 0xffffff80 ^ key2 \u003c\u003c 7) \u003c\u003c 0x11) \u0026 0xffffffff\r\n       offset += 1\r\n       length -= 1\r\n   return dec\r\noffset = 0\r\ndef parse_options(buffer):\r\n   options = list(struct.unpack('I'*30, buffer[0:120]))\r\n   options.append(buffer[120:320])\r\n   options.append(buffer[320:2820])\r\n   options.append(buffer[2820:3020])\r\n   options.append(buffer[3020:3120])\r\n   options.append(buffer[3120:3220])\r\n   options.append(buffer[3220:3320])\r\n   options.append(buffer[3320:3360])\r\n   enabled_options = ''\r\n   disabled_options = ''\r\n   if options[0] == 0:\r\n       global offset\r\n       offset = options[27] + options[28] + options[22]\r\n       enabled_options += \"Embedded payload at offset: %d\\n\" % offset\r\n       disabled_options += \"Download payload\\n\"\r\n   else:\r\n       enabled_options += \"Download payload from: %s\\n\" % truncate_nullterm_str(options[30])\r\n       disabled_options += \"Embedded payload\\n\"\r\n   str = \"VM Detect\\n\"\r\n   if options[1] == 0:\r\n       disabled_options += str\r\n   else:\r\n       enabled_options += str\r\n   str = \"Sandbox Detect\\n\"\r\n   if options[2] == 0:\r\n       disabled_options += str\r\n   else:\r\n       enabled_options += str\r\n   str = \"Debugger Detect\\n\"\r\n   if options[3] == 0:\r\n       disabled_options += str\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 20 of 24\n\nelse:\r\n       enabled_options += str\r\n   str = \"Active Processes Check\\n\"\r\n   if options[4] == 0:\r\n       disabled_options += str\r\n   else:\r\n       enabled_options += str\r\n   str = \"Installed programs Check\\n\"\r\n   if options[5] == 0:\r\n       disabled_options += str\r\n   else:\r\n       enabled_options += str\r\n   str = \"Language Check\\n\"\r\n   if options[6] == 0:\r\n       disabled_options += str\r\n   else:\r\n       enabled_options += str\r\n   str = \"Username Check\\n\"\r\n   if options[7] == 0:\r\n       disabled_options += str\r\n   else:\r\n       enabled_options += str\r\n   str = \"Computer name Check\\n\"\r\n   if options[8] == 0:\r\n       disabled_options += str\r\n   else:\r\n       enabled_options += str\r\n   str = \"Installed number of programs Check\\n\"\r\n   if options[9] == 0:\r\n       disabled_options += str\r\n   else:\r\n       enabled_options += str\r\n   str = \"Number running processes Check\\n\"\r\n   if options[10] == 0:\r\n       disabled_options += str\r\n   else:\r\n       enabled_options += \"Number running processes Check: %d\\n\" % options[10]\r\n   str = \"System processors/memory/diskspace Check\\n\"\r\n   if options[11] == 0:\r\n       disabled_options += str\r\n   else:\r\n       if options[11] \u0026 0x001:\r\n           enabled_options += \"Processor count check: %d\\n\" % options[12]\r\n       if options[11] \u0026 0x010:\r\n           enabled_options += \"Physical memory check: %d\\n\" % options[13]\r\n       if options[11] \u0026 0x000:\r\n           enabled_options += \"Disk space check: %d\\n\" % options[14]\r\n   str = \"DLL Hijack cliconfg.exe\\n\"\r\n   if options[12] == 0:\r\n       disabled_options += str\r\n   else:\r\n       enabled_options += str\r\n   str = \"EnableLUA\\n\"\r\n   if options[16] == 0:\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 21 of 24\n\ndisabled_options += str\r\n   else:\r\n       enabled_options += str\r\n   str = \"Create Persistence\\n\"\r\n   if options[17] == 0:\r\n       disabled_options += str\r\n   elif options[17] == 1:\r\n       enabled_options += \"Create Persistence using Run key: %s\\n\" % truncate_nullterm_str(options[31][0x960:])\r\n   elif options[17] == 2:\r\n       enabled_options += \"Create Persistence in Startup folder\\n\"\r\n   elif options[17] == 3:\r\n       enabled_options += \"Create Persistence using \\\"System Backup\\\" hourly Scheduled Task\\n\"\r\n   if options[18] == 0:\r\n       disabled_options += \"Direct Execution\\n\"\r\n   else:\r\n       disabled_options += \"Process Hollowing\\n\"\r\n   if options[19] == 0:\r\n       enabled_options += \"Process Hollowing: self\\n\"\r\n   elif options[19] == 1:\r\n       enabled_options += \"Process Hollowing: svchost.exe\\n\"\r\n   elif options[19] == 2:\r\n       enabled_options += \"Process Hollowing: conhost.exe\\n\"\r\n   elif options[19] == 3:\r\n       enabled_options += \"Process Hollowing: explorer.exe\\n\"\r\n   elif options[19] == 4:\r\n       enabled_options += \"Process Hollowing: \\\"http\\shell\\open\\command\\\" registry key value\\n\"\r\n   elif options[19] == 5:\r\n       enabled_options += \"Process Hollowing: %s\\n\" % truncate_nullterm_str(options[33])\r\n   str = \"Sleep Timer\\n\"\r\n   if options[20] == 0:\r\n       disabled_options += str\r\n   else:\r\n       enabled_options += \"Sleep Timer: %d\\n\" % options[20]\r\n   str = \"Kill Timer\\n\"\r\n   if options[21] == 0:\r\n       disabled_options += str\r\n   else:\r\n       enabled_options += \"Kill Timer: %d\\n\" % options[26]\r\n   if options[29] == 0:\r\n       enabled_options += \"Relocate to: C:\\\\\"\r\n   elif options[29] == 1:\r\n       enabled_options += \"Relocate to: %windir%\\\\\"\r\n   elif options[29] == 2:\r\n       enabled_options += \"Relocate to: %system%\\\\\"\r\n   elif options[29] == 3:\r\n       enabled_options += \"Relocate to: %programfiles%\\\\\"\r\n   elif options[29] == 4:\r\n       enabled_options += \"Relocate to: %programfiles%\\\\Common Files\\\\\"\r\n   elif options[29] == 5:\r\n       enabled_options += \"Relocate to: C:\\\\ProgramData\\\\\"\r\n   elif options[29] == 6:\r\n       enabled_options += \"Relocate to: %userprofile%\\\\\"\r\n   elif options[29] == 7:\r\n       enabled_options += \"Relocate to: %userprofile%\\\\Documents\\\\\"\r\n   elif options[29] == 8:\r\n       enabled_options += \"Relocate to: %temp%\\\\\"\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 22 of 24\n\nelif options[29] == 9:\r\n       enabled_options += \"Relocate to: %userprofile%\\\\Favorites\\\\\"\r\n   elif options[29] == 10:\r\n       enabled_options += \"Relocate to: %appdata%\\\\\"\r\n   elif options[29] == 11:\r\n       enabled_options += \"Relocate to: %localappdata%\\\\\"\r\n   if len(truncate_nullterm_str(options[34])) \u003e 0:\r\n       enabled_options += \"%s\\\\\" % truncate_nullterm_str(options[34])\r\n   enabled_options += \"%s\\n\" % truncate_nullterm_str(options[35])\r\n   str = \"Mutex\\n\"\r\n   if len(truncate_nullterm_str(options[36])) == 0:\r\n       disabled_options += str\r\n   else:\r\n       enabled_options += \"Mutex: %s\\n\" % truncate_nullterm_str(options[36])\r\n   print(\"\\nDisabled Options:\")\r\n   print(disabled_options)\r\n   print(\"\\nEnabled Options:\")\r\n   print(enabled_options)\r\ndef main():\r\n   parser = argparse.ArgumentParser()\r\n   parser.add_argument('filename')\r\n   args = parser.parse_args()\r\n   with open(args.filename, 'rb') as f:\r\n       exe = f.read()\r\n       PE_header_pos = struct.unpack('\u003ci', exe[0x3c:0x3c+4])[0]\r\n       PE_header_len = struct.unpack('\u003ci', exe[PE_header_pos+0x54:PE_header_pos+0x54+4])[0]\r\n       PE_header_length = struct.unpack('\u003ch', exe[PE_header_pos+0x14:PE_header_pos+0x14+2])[0]\r\n       section_headers_pos = PE_header_pos + PE_header_length + 0x18\r\n       num_headers = struct.unpack('\u003ch', exe[PE_header_pos+0x6:PE_header_pos+0x6+2])[0]\r\n       curr_header_pos = section_headers_pos\r\n       bitmap_pos = PE_header_len\r\n       for i in range(num_headers):\r\n           header_len = struct.unpack('\u003ci', exe[curr_header_pos+0x10:curr_header_pos+0x10+4])[0]\r\n           bitmap_pos += header_len\r\n           curr_header_pos += 0x28\r\n       key1 = struct.unpack('\u003cI', exe[bitmap_pos+0x3a:bitmap_pos+0x3a+4])[0]\r\n       bitmap_len = len(exe) - bitmap_pos\r\n       bitmap_header_len = struct.unpack('\u003cH', exe[bitmap_pos+0x3e:bitmap_pos+0x3e+2])[0]\r\n       key2 = struct.unpack('\u003cI', exe[bitmap_pos+0x36:bitmap_pos+0x36+4])[0]\r\n       bitmap_len -= bitmap_header_len\r\n       bitmap_len -= 0x036\r\n       print(\"[ ] Decoding %d Bytes with:\" % bitmap_len)\r\n       print(\"    Key1: %s\" % hex(key1))\r\n       print(\"    Key2: %s\" % hex(key2))\r\n       dec = decode(0,exe[bitmap_pos+bitmap_header_len+0x36:],bitmap_len,key1,key2)\r\n       print(\"[+] Decoding Complete!\")\r\n       parse_options(dec[0:0xd56-0x36])\r\n       payload_pos = 0xd56-0x36+offset\r\n       print(\"[ ] Found embedded payload, extracting..\")\r\n       with open(args.filename + \"_payload.exe\", 'wb') as out:\r\n           out.write(dec[payload_pos:])\r\n       print(\"[+] Wrote %d Bytes to %s\" % (len(dec[payload_pos:]), args.filename + \"_payload.exe\"))\r\nif __name__ == '__main__':\r\n   main()\r\n--End Decryption and Extraction Python3 Script--\r\nRecommendations\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 23 of 24\n\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or contact@mail.cisa.dhs.gov .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.\r\nSource: https://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar20-045a\r\nPage 24 of 24\n\nPE Sections MD5 Name Raw Size Entropy\n1db5d7f5d8e2fa35f4077d3c28b60ae7 header 1024 3.229935\n6f6469c660281de2c72fa3685d55a8ec .text 710656 6.655052\n0847400b5430782ad644a30cd8240c73 .rdata 167424 5.776485\n77ab2f92d6177b9e39430447aa595073 .data 37376 5.315603\n1f354d76203061bfdd5a53dae48d5435 .tls 512 0.020393\n1704ffd93e9d463dc42784bc03bbfd5d .gfids 512 2.779799\n850aa99c8c1a85dc7545811d66bb0c17 .rsrc 512 4.717679\n Page 11 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.us-cert.gov/ncas/analysis-reports/ar20-045a" ], "report_names": [ "ar20-045a" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434558, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e553083dd46f0a8dcf0bc0a12b5265d6973b7a1c.pdf", "text": "https://archive.orkl.eu/e553083dd46f0a8dcf0bc0a12b5265d6973b7a1c.txt", "img": "https://archive.orkl.eu/e553083dd46f0a8dcf0bc0a12b5265d6973b7a1c.jpg" } }