{ "id": "55c74dde-d0c5-4bb0-b1c5-bf346804b038", "created_at": "2026-04-06T00:16:24.929612Z", "updated_at": "2026-04-10T03:38:20.455557Z", "deleted_at": null, "sha1_hash": "f00a29c95f8ec8e83ba8d36d99aab3413c9ad850", "title": "MAR-10135536-10 – North Korean Trojan: BADCALL | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 95987, "plain_text": "MAR-10135536-10 – North Korean Trojan: BADCALL | CISA\r\nPublished: 2019-09-09 · Archived: 2026-04-05 13:41:10 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS),\r\nthe Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners,\r\nDHS, FBI, and DoD identified Trojan malware variants used by the North Korean government - referred to by the U.S.\r\nGovernment as BADCALL. The U.S. Government refers to malicious cyber activity by the North Korean government as\r\nHIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov /hiddencobra.\r\nFBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to\r\nmaintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR\r\nto enable network defense and reduce exposure to North Korean government malicious cyber activity.\r\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended\r\nmitigation techniques. Users or administrators should flag activity associated with the malware, report the activity to the\r\nDHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and\r\ngive the activity the highest priority for enhanced mitigation.\r\nThis report provides analysis of four (4) malicious executable files. The first three (3) files are 32-bit Windows executables\r\nthat function as proxy servers and implement a \"Fake TLS\" method similar to the behavior described in a previously\r\npublished NCCIC report, MAR-10135536-B. The fourth file is an Android Package Kit (APK) file designed to run on\r\nAndroid platforms as a fully functioning Remote Access Tool (RAT).\r\nFor a downloadable copy of IOCs, see:\r\nMAR-10135536-10.stix\r\nSubmitted Files (4)\r\n4257bb11570ed15b8a15aa3fc051a580eab5d09c2f9d79e4b264b752c8e584fc (C01DC42F65ACAF1C917C0CC29BA63A...)\r\n93e13ffd2a2f1a13fb9a09de1d98324f75b3f0f8e0c822857ed5ca3b73ee3672 (22082079AB45CCC256E73B3A7FD547...)\r\nd1f3b9372a6be9c02430b6e4526202974179a674ce94fe22028d7212ae6be9e7 (C6F78AD187C365D117CACBEE140F62...)\r\nedd2aff8fad0c76021adc74fe3cb3cb1a02913a839ad0f2cf31fdea8b5aa8195 (D93B6A5C04D392FC8ED30375BE17BE...)\r\nAdditional Files (2)\r\n91650e7b0833a34abc9e51bff53cc05ef333513c6be038df29929a0a55310d9c (z)\r\nda353b2845a354e1a3f671e4a12198e2c6f57a377d02dfaf90477869041a044f (hc.zip)\r\nFindings\r\nd1f3b9372a6be9c02430b6e4526202974179a674ce94fe22028d7212ae6be9e7\r\nTags\r\nbackdoordownloadertrojan\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 1 of 14\n\nDetails\r\nName C6F78AD187C365D117CACBEE140F6230\r\nSize 208896 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 c6f78ad187c365d117cacbee140f6230\r\nSHA1 5116f281c61639b48fd58caaed60018bafdefe7a\r\nSHA256 d1f3b9372a6be9c02430b6e4526202974179a674ce94fe22028d7212ae6be9e7\r\nSHA512 f03fe686fac20714a6a7141bff1471c9187b0d4630752fb5eb922605dbb74105c1ecced7e1980a0d79195c1a7f1b2f221e483bc9f7e2164a8b\r\nssdeep 1536:X86D0r4QxG5+XCFpaG7+esyzktLYUwnZ7hUOKYUwnZ7hUOaeYUwnZ7hUOKYUwnZr:X8O0IgCvH7+UzktMxzxgRxzx9\r\nEntropy 6.833120\r\nAntivirus\r\nAhnlab Backdoor/Win32.Akdoor\r\nAntiy Trojan/Win32.BTSGeneric\r\nBitDefender Trojan.Agent.CUTNUnclassified\r\nClamAV Win.Trojan.BadCall-6473322-0\r\nCyren W32/Trojan.DCIV-3872\r\nESET Win32/NukeSped.CX trojan\r\nEmsisoft Trojan.Agent.CUTN (B)\r\nIkarus Trojan.Win32.NukeSped\r\nK7 Trojan ( 005272fc1 )\r\nMicrosoft Security Essentials Backdoor:Win32/Hidcob.A\r\nNANOAV Trojan.Win32.NukeSped.eydshe\r\nSophos Troj/Cruprox-C\r\nSymantec Trojan Horse\r\nTACHYON Backdoor/W32.Agent.208896.DD\r\nTrendMicro BKDR_NUKESPED.A\r\nTrendMicro House Call BKDR_NUKESPED.A\r\nVir.IT eXplorer Trojan.Win32.Dnldr26.BAYE\r\nVirusBlokAda Trojan.Downloader\r\nZillya! Trojan.NukeSped.Win32.49\r\nYara Rules\r\nhidden_cobra_consolidated.yara rule NK_SSL_PROXY { meta: Author = \"CISA Code \u0026 Media Analysis\" Incident =\r\n\"10135536\" Date = \"2018-01-09\" Category = \"Hidden_Cobra\" Family = \"BADCALL\"\r\nDescription = \"Detects NK SSL PROXY\" MD5_1 =\r\n\"C6F78AD187C365D117CACBEE140F6230\" MD5_2 =\r\n\"C01DC42F65ACAF1C917C0CC29BA63ADC\" strings: $s0 =\r\n{8B4C24088A140880F24780C228881408403BC67CEF5E} $s1 =\r\n{568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E}\r\n$s2 = {4775401F713435747975366867766869375E2524736466} $s3 =\r\n{67686667686A75797566676467667472} $s4 = {6D2A5E265E676866676534776572}\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 2 of 14\n\n$s5 = {3171617A5853444332337765} $s6 = \"ghfghjuyufgdgftr\" $s7 =\r\n\"q45tyu6hgvhi7^%$sdf\" $s8 = \"m*^\u0026^ghfge4wer\" condition: ($s0 and $s1 and $s2 and\r\n$s3 and $s4 and $s5) or ($s6 and $s7 and $s8) }\r\nhidden_cobra_consolidated.yara\r\nrule xor_add { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\" Date =\r\n\"2018-04-19\" Category = \"Hidden_Cobra\" Family = \"n/a\" Description = \"n/a\" strings:\r\n$decode = { 80 ea 28 80 f2 47} $encode = { 80 f2 47 80 c2 28} condition: uint16(0) ==\r\n0x5A4D and uint16(uint32(0x3c)) == 0x4550 and all of them }\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2016-02-06 22:17:51-05:00\r\nImport Hash 3f197f5c6469421f4472504b1bada91e\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\na8f97910c62034b318e17aa17fb97f1c header 4096 0.688106\r\n08112b571663ff5ed42e331a00ccce0c .text 53248 6.508967\r\nca61927558a4dfe9305eb037a5432960 .rdata 8192 4.573237\r\nbb49b2fb00c1ae88ad440971914711a7 .data 139264 6.941279\r\nc58b62cf949e8636ebd5c75f482207c3 .sxdata 4096 0.181138\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ v6.0\r\nDescription\r\nThis file is a malicious 32-bit Windows executable. Analysis indicates this application is designed to force a compromised\r\nsystem to function as a proxy server. When executed, the malware binds and listens for incoming connections on port 8000\r\nof the compromised system. The proxy session traffic is protected by way of a simple cipher based on rotating XOR and\r\nADD. The cipher will XOR each byte sent with 47h and added by 28h. Each byte received by the malware will be XOR’ed\r\nby 47h and subtracted by 28h. See Figures 1, 2 and 3 for code examples. Notably, this malware attempts to disable the\r\nWindows firewall before binding to port 8000 by modifying the following registry key:\r\n--Begin Firewall Reg Key Modified--\r\nSYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\GloballyOpenPorts\\\\List\r\n--End Firewall Reg Key Modified--\r\nAnalysis of this malware indicates it is designed to turn a victim host into a \"hop point\" by relaying traffic to a remote\r\nsystem. When the adversary initially connects to a victim’s machine via port 8000, the adversary must first authenticate\r\n(over a session secured with the XOR/ADD cipher described above) by providing the ASCII string \"1qazXSDC23we”. If\r\nthe malware does not receive this value, it will terminate the session, responding with the value \"m*^\u0026^ghfge4wer”.\r\nIf the operator authenticates successfully, they can then issue the command \"ghfghjuyufgdgftr\" which instructs the malware\r\nto begin functioning as a proxy server and respond to the operator with the value \"q45tyu6hgvhi7^%$sdf”. Next, the\r\nmalware attempts to create a proxy session between the operator and another server. During this process, the malware will\r\nattempt to authenticate with the destination server by sending the value \"ghfghjuyufgdgftr\" as a challenge. To complete the\r\nauthentication sequence, the malware expects to receive a response value of \"q45tyu6hgvhi7^%$sdf\". All challenge and\r\nresponse traffic is encoded using the ADD/XOR cipher described earlier.\r\nThe proxy session begins with a remote operator connecting to this implant via a \"fake TLS\" connection attempt, similar to\r\nthe behavior described in a previously released NCCIC report, MAR-10135536-B. Essentially, the malware initiates the TLS\r\nsession using one of several public SSL certificates obtained from well known, legitimate internet services and embedded in\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 3 of 14\n\nthe malware. However, the traffic from the operator to this implant is not protected with SSL / TLS encryption. The traffic is\r\nonly protected via the ADD/XOR cipher embedded within this implant (see Figure 2-3.). If the remote operator authenticates\r\ncorrectly as detailed above, the implant attempts to begin a proxy session with the remote target system. The traffic to the\r\nremote systems from this implant are sent and received via the SSL_read and SSL_write APIs available in OpenSSL.\r\nHowever, the malware does not appear to attempt to load an SSL private key or certificate.\r\nThe malware contains public SSL certificates for the following list of domains, which are used for initiating the \"fake TLS\"\r\nsession:\r\n--Begin SSL Certificate Strings--\r\nmyservice.xbox.com\r\nuk.yahoo.com\r\nweb.whatsapp.com\r\nwww[.]apple.com\r\nwww[.]baidu.com\r\nwww[.]bing.com\r\nwww[.]bitcoin.org\r\nwww[.]comodo.com\r\nwww[.]debian.org\r\nwww[.]dropbox.com\r\nwww[.]facebook.com\r\nwww[.]github.com\r\nwww[.]google.com\r\nwww[.]lenovo.com\r\nwww[.]microsoft.com\r\nwww[.]paypal.com\r\nwww[.]tumblr.com\r\nwww[.]twitter.com\r\nwww[.]wetransfer.com\r\nwww[.]wikipedia.org\r\n--End SSL Certificate Strings--\r\nScreenshots\r\nFigure 1 -\r\nFigure 2 -\r\nFigure 3 -\r\nFigure 4 -\r\n4257bb11570ed15b8a15aa3fc051a580eab5d09c2f9d79e4b264b752c8e584fc\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName C01DC42F65ACAF1C917C0CC29BA63ADC\r\nSize 233472 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 c01dc42f65acaf1c917c0cc29ba63adc\r\nSHA1 d288766fa268bc2534f85fd06a5d52264e646c47\r\nSHA256 4257bb11570ed15b8a15aa3fc051a580eab5d09c2f9d79e4b264b752c8e584fc\r\nSHA512 0ff6745ef787e89bd0f154bd96571f086f6b6596621e7211bb8ce8f970a26a72770a44b9aa1b906e6599dd5f421e0dd50895e2cde9ba85be7\r\nssdeep 1536:cseScclTQDYY3TSF00sK/LVtKYUwnZ7hUO1YUwnZ7hUOAeYUwnZ7hUO7YUwnZ7hj:cseScjYY3Tyc0LVt9xsxuRxSxzxg0\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 4 of 14\n\nEntropy 6.861843\r\nAntivirus\r\nAhnlab Backdoor/Win32.Akdoor\r\nAntiy Trojan/Win32.BTSGeneric\r\nAvira TR/NukeSped.ydcjt\r\nBitDefender Trojan.Agent.CBEJUnclassified\r\nClamAV Win.Trojan.Agent-6449123-0\r\nCyren W32/Agent.OOKJ-8303\r\nESET Win32/NukeSped.CX trojan\r\nEmsisoft Trojan.Agent.CBEJ (B)\r\nIkarus Trojan.Agent\r\nK7 Trojan ( 005272fc1 )\r\nKaspersky Backdoor.Win32.Agent.texxz\r\nMcAfee Generic.ayf\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.B!dha\r\nNANOAV Trojan.Win32.NukeSped.eyembk\r\nQuick Heal Trojan.Multi\r\nSophos Troj/BadCall-A\r\nSymantec Trojan Horse\r\nTACHYON Trojan/W32.Agent.233472.APN\r\nTrendMicro BKDR_NUKESPED.B\r\nTrendMicro House Call BKDR_NUKESPED.B\r\nVir.IT eXplorer Backdoor.Win32.Agent.LX\r\nVirusBlokAda Backdoor.Agent\r\nZillya! Trojan.Agent.Win32.879097\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule NK_SSL_PROXY { meta: Author = \"CISA Code \u0026 Media Analysis\" Incident =\r\n\"10135536\" Date = \"2018-01-09\" Category = \"Hidden_Cobra\" Family = \"BADCALL\"\r\nDescription = \"Detects NK SSL PROXY\" MD5_1 =\r\n\"C6F78AD187C365D117CACBEE140F6230\" MD5_2 =\r\n\"C01DC42F65ACAF1C917C0CC29BA63ADC\" strings: $s0 =\r\n{8B4C24088A140880F24780C228881408403BC67CEF5E} $s1 =\r\n{568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E}\r\n$s2 = {4775401F713435747975366867766869375E2524736466} $s3 =\r\n{67686667686A75797566676467667472} $s4 = {6D2A5E265E676866676534776572}\r\n$s5 = {3171617A5853444332337765} $s6 = \"ghfghjuyufgdgftr\" $s7 =\r\n\"q45tyu6hgvhi7^%$sdf\" $s8 = \"m*^\u0026^ghfge4wer\" condition: ($s0 and $s1 and $s2 and\r\n$s3 and $s4 and $s5) or ($s6 and $s7 and $s8) }\r\nhidden_cobra_consolidated.yara\r\nrule xor_add { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\" Date =\r\n\"2018-04-19\" Category = \"Hidden_Cobra\" Family = \"n/a\" Description = \"n/a\" strings:\r\n$decode = { 80 ea 28 80 f2 47} $encode = { 80 f2 47 80 c2 28} condition: uint16(0) ==\r\n0x5A4D and uint16(uint32(0x3c)) == 0x4550 and all of them }\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 5 of 14\n\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2016-02-05 13:16:54-05:00\r\nImport Hash 0b10d6fde1b7cdd778e0338a2d7e5046\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nf0cb80c557b1172362064c51bbb9b271 header 4096 0.696473\r\ne9d0219343e64c8c8aa6f084db44b92c .text 45056 6.324040\r\n1092801819f120298e2ddac6a96e3fd0 .rdata 8192 3.775333\r\n5109fb1db61b533c23762d9044579db7 .data 167936 7.045393\r\n9ce04d3e820fa7056f351dbcfa05b0fb .reloc 8192 2.767666\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 6.0\r\nMicrosoft Visual C++ 6.0 DLL (Debug)\r\nDescription\r\nThis file is a malicious 32-bit Windows DLL. Static analysis indicates this application is very similar in structure and\r\nfunction to C6F78AD187C365D117CACBEE140F6230. However, rather than being a PE32 executable this application is a\r\nWindows 32-bit DLL, which must be loaded by an external loader. This external loader was not included within this\r\nsubmission.\r\nThis DLL is designed to force a compromised system to act as a proxy server. This implant is designed to proxy network\r\ntraffic from an operator to another software tool that is being operated by the adversary on a remote system. The traffic to\r\nand from this proxy server will be protected with the same simple XOR / ADD cipher used by the malware\r\nC6F78AD187C365D117CACBEE140F6230. Static analysis indicates sessions from the remote operator connecting directly\r\nto this implant will be protected via SSL / TLS, however the proxy sessions to the remote systems will not be protected via\r\nTLS but will instead use a \"fake TLS\" session. The traffic from the operator to this implant and traffic from the implant to\r\nthe remote systems will be protected via the embedded XOR / ADD cipher (view screenshot). To implement SSL with the\r\nremote operator, the malware loads a private key from a file named 'wbemhost.dll' and a certificate from a file named\r\n'netconf.dll'. This malware does not drop either of these files (see Figure. 7).\r\nAnalysis of this malware indicates it is designed to bind to and listen for incoming connections to the victim’s system after\r\ndisabling the firewall by modifying the following registry key. The firewall is disabled by allowing incoming access on port\r\n443.\r\n--Begin Firewall Reg Key Modified--\r\nSYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfileGloballyOpenPorts\\\\List\r\n--End Firewall Reg Key Modified--\r\nAfter connecting to this malware, the operator must issue the challenge value \"qwertyuiop\" to authenticate with the implant\r\n(see Figure 5). This malware also has the added capability of allowing an operator to collect information about the\r\ncompromised system. This information is collected using the Windows APIs GetComputerNameW, gethostbyname, and\r\nGetAdaptersInfo. In order to use this feature, the operator must issue the instruction value \"ghfghjuyufgdgftr” after\r\nauthenticating. As with C6F78AD187C365D117CACBEE140F6230, this malware uses the OpenSLL functions ssl_read()\r\nand ssl_write() to exchange data with the operator, however the malware additionally uses a simple XOR cipher (as earlier\r\ndescribed) to decrypt incoming traffic.\r\nAnalysis indicates this malware must also authenticate with the destination server to which the operator wishes to proxy\r\ntraffic. To do so, this malware first sends that remote server the challenge value \"1qazXSDC23we.\" The malware must then\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 6 of 14\n\nreceive the following response from the destination server before it will allow the operator to proxy traffic to it:\r\n\"m*^\u0026^ghfge4wer” (see Figure 6). The authentication values sent to and from this proxy server will be protected via the\r\nsame XOR / ADD cipher utilized by the malware C6F78AD187C365D117CACBEE140F6230 (see Figures 8-9).\r\nThe following is a list of the domains for which the malware contains public SSL certificates, used for initiating the \"FAKE\r\nTLS\" sessions:\r\n--Begin SSL cert list--\r\nmyservice.xbox.com\r\nuk.yahoo.com\r\nweb.whatsapp.com\r\nwww[.]apple.com\r\nwww[.]baidu.com\r\nwww[.]bing.com\r\nwww[.]bitcoin.org\r\nwww[.]comodo.com\r\nwww[.]debian.org\r\nwww[.]dropbox.com\r\nwww[.]facebook.com\r\nwww[.]github.com\r\nwww[.]google.com\r\nwww[.]lenovo.com\r\nwww[.]microsoft.com\r\nwww[.]paypal.com\r\nwww[.]tumblr.com\r\nwww[.]twitter.com\r\nwww[.]wetransfer.com\r\nwww[.]wikipedia.org\r\n--End SSL cert list--\r\nScreenshots\r\nFigure 5 -\r\nFigure 6 -\r\nFigure 7 -\r\nFigure 9 -\r\nFigure 8 -\r\n93e13ffd2a2f1a13fb9a09de1d98324f75b3f0f8e0c822857ed5ca3b73ee3672\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName 22082079AB45CCC256E73B3A7FD54791\r\nSize 118784 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 22082079ab45ccc256e73b3a7fd54791\r\nSHA1 029bb15a2ba0bea98934aa2b181e4e76c83282ce\r\nSHA256 93e13ffd2a2f1a13fb9a09de1d98324f75b3f0f8e0c822857ed5ca3b73ee3672\r\nSHA512 1b8c3e6da2e43f14d291c6e850eb6a0a51947bb2e87ce378a1b08119667509c36046b73a2e3528054b2b04925abecdc385478b3ff542a31a\r\nssdeep 3072:zO+bv42IGfT/EpdIS+aYy8Wt9QopUuul/WRaKj1gv:aov42T/EptldpZugQK\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 7 of 14\n\nEntropy 6.824890\r\nAntivirus\r\nAhnlab Trojan/Win32.Casdet\r\nAntiy Trojan/Win32.Casdet\r\nAvira TR/Agent.tsurv\r\nBitDefender Trojan.GenericKD.41577128Unclassified\r\nCyren W32/Trojan.DKUU-0798\r\nESET Win32/NukeSped.FU trojan\r\nEmsisoft Trojan.GenericKD.41577128 (B)\r\nK7 Trojan ( 005560611 )\r\nMcAfee RDN/Generic.dx\r\nQuick Heal Trojan.Casdet\r\nSymantec Backdoor.Trojan\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-07-17 00:59:05-04:00\r\nImport Hash 16829b63f8ecedc02fa379016636a7b3\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n1e0638185a7f70a39e8366d293736868 header 4096 0.696223\r\n7c0e47bb01059f413f0aac60be01708b .text 36864 6.564904\r\nbf754906211b615d5a32284c3e3c97ad .rdata 12288 4.513552\r\nc31a6726d1210b6c5e8c622e9fc91c3d .data 57344 7.684244\r\nf9f1af8f7d13e1321806e125559cde91 .reloc 8192 1.955731\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 6.0\r\nMicrosoft Visual C++ 6.0 DLL (Debug)\r\nRelationships\r\n93e13ffd2a... Contains da353b2845a354e1a3f671e4a12198e2c6f57a377d02dfaf90477869041a044f\r\nDescription\r\nThis file is a 32-bit Windows DLL. This file is an implant loader for a DLL and is designed to be called from the\r\nServiceMain export function. The malware attempts to decrypt an embedded chunk of data that is 50896 bytes in size. This\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 8 of 14\n\ndecryption is performed utilizing an RC4 algorithm. The key used for this decryption is displayed below:\r\n--Begin RC4 Key--\r\nCC E5 71 D9 B5 88 9D 53 EF 74 D1 9A E5 A4 1E B3\r\n--End RC4 Key--\r\nThis decrypted file is a zip file which contains a malicious DLL file named 'z' (2733A9069F0B0A57BF9831FE582E35D9).\r\nScreenshots\r\nFigure 10 -\r\nda353b2845a354e1a3f671e4a12198e2c6f57a377d02dfaf90477869041a044f\r\nTags\r\ntrojan\r\nDetails\r\nName hc.zip\r\nSize 50896 bytes\r\nType Zip archive data, at least v2.0 to extract\r\nMD5 eb7da5f1e86679405aa255aa4761977d\r\nSHA1 880cb39fee291aa93eb43d92f7af6b500f6d57dc\r\nSHA256 da353b2845a354e1a3f671e4a12198e2c6f57a377d02dfaf90477869041a044f\r\nSHA512 f1bc07f218e266d10a3f4d4a76388d3dc37fe51134877fcf071a745214a4309ff6ec71cdf5e7943b08dd68824cf4883a1f4c493911bef4d573b\r\nssdeep 768:wu4/k7m28PNNc5lepsSIDq/TlF6u7ODBHGslr5XRdBXSCF8bbbbbb0gbvbbb9fG+:4M/sfqrD6THl7OlFXRbXhFM++\r\nEntropy 7.993615\r\nAntivirus\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.B!dha\r\nQuick Heal Trojan.Autophyte\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\nda353b2845... Contains 91650e7b0833a34abc9e51bff53cc05ef333513c6be038df29929a0a55310d9c\r\nda353b2845... Contained_Within 93e13ffd2a2f1a13fb9a09de1d98324f75b3f0f8e0c822857ed5ca3b73ee3672\r\nDescription\r\nThis file is a zip compressed archive that was extracted from the file 22082079AB45CCC256E73B3A7FD54791. The zip\r\nfile contains the malicious DLL 'z' (2733a9069f0b0a57bf9831fe582e35d9).\r\n91650e7b0833a34abc9e51bff53cc05ef333513c6be038df29929a0a55310d9c\r\nTags\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 9 of 14\n\nbackdoortrojan\r\nDetails\r\nName z\r\nSize 221184 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 2733a9069f0b0a57bf9831fe582e35d9\r\nSHA1 f06f9d015c2f445ee0f13da5708f93c381f4442d\r\nSHA256 91650e7b0833a34abc9e51bff53cc05ef333513c6be038df29929a0a55310d9c\r\nSHA512 78dde154425ff447d9f7d38dacd707227a9375f6b8890f3da99f97f93acf9fb12db3f678db799920fac0854235aaeb558d49578d5f443d85a4\r\nssdeep 1536:kkRTTvge1l5HFXCtTX/Mo1xaft0YUwnZ7hUOSYUwnZ7hUOAeYUwnZ7hUOCYUwnZl:kkRTTRj5HlkMsaft7xfxuRx3xzxN\r\nEntropy 7.062074\r\nAntivirus\r\nAhnlab Backdoor/Win32.Akdoor\r\nAntiy Trojan/Win32.Autophyte\r\nAvira TR/NukeSped.kaqej\r\nBitDefender Gen:Variant.Zusy.290461Unclassified\r\nClamAV Win.Trojan.BadCall-6473322-0\r\nESET Win32/NukeSped.FU trojan\r\nEmsisoft Gen:Variant.Zusy.290461 (B)\r\nIkarus Trojan.Win32.Autophyte\r\nK7 Trojan ( 005562ef1 )\r\nMcAfee RDN/Generic BackDoor\r\nMicrosoft Security Essentials Trojan:Win32/Autophyte.B!dha\r\nQuick Heal Trojan.Autophyte\r\nSymantec Trojan.Proxabop\r\nYara Rules\r\nhidden_cobra_consolidated.yara\r\nrule NK_SSL_PROXY { meta: Author = \"CISA Code \u0026 Media Analysis\" Incident =\r\n\"10135536\" Date = \"2018-01-09\" Category = \"Hidden_Cobra\" Family = \"BADCALL\"\r\nDescription = \"Detects NK SSL PROXY\" MD5_1 =\r\n\"C6F78AD187C365D117CACBEE140F6230\" MD5_2 =\r\n\"C01DC42F65ACAF1C917C0CC29BA63ADC\" strings: $s0 =\r\n{8B4C24088A140880F24780C228881408403BC67CEF5E} $s1 =\r\n{568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E}\r\n$s2 = {4775401F713435747975366867766869375E2524736466} $s3 =\r\n{67686667686A75797566676467667472} $s4 = {6D2A5E265E676866676534776572}\r\n$s5 = {3171617A5853444332337765} $s6 = \"ghfghjuyufgdgftr\" $s7 =\r\n\"q45tyu6hgvhi7^%$sdf\" $s8 = \"m*^\u0026^ghfge4wer\" condition: ($s0 and $s1 and $s2 and\r\n$s3 and $s4 and $s5) or ($s6 and $s7 and $s8) }\r\nhidden_cobra_consolidated.yara\r\nrule xor_add { meta: Author = \"CISA trusted 3rd party\" Incident = \"10135536\" Date =\r\n\"2018-04-19\" Category = \"Hidden_Cobra\" Family = \"n/a\" Description = \"n/a\" strings:\r\n$decode = { 80 ea 28 80 f2 47} $encode = { 80 f2 47 80 c2 28} condition: uint16(0) ==\r\n0x5A4D and uint16(uint32(0x3c)) == 0x4550 and all of them }\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 10 of 14\n\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-07-17 00:53:11-04:00\r\nImport Hash 6a279f14835aa138eab03b57a6e45825\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n79d8ca8726a734aef20f898f5e2fbb50 header 4096 0.711446\r\ne2d8cd2675a9cf155d8a84a98e91726a .text 40960 6.486031\r\n9dd07afaecfd084b82051ce7ad1b4bc1 .rdata 8192 4.848305\r\n20de8f78ea78fe96c41dd8926438fdab .data 159744 7.189385\r\n5aff5f4cc16000bc502b6eec007c9e31 .reloc 8192 2.586704\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 6.0\r\nMicrosoft Visual C++ 6.0 DLL (Debug)\r\nRelationships\r\n91650e7b08... Contained_Within da353b2845a354e1a3f671e4a12198e2c6f57a377d02dfaf90477869041a044f\r\nDescription\r\nThis file is a 32-bit DLL file. Static analysis indicates this application is very similar in structure and function to\r\nC6F78AD187C365D117CACBEE140F6230.\r\nThis DLL is designed to force a compromised system to act as a proxy server. This implant is designed to proxy network\r\ntraffic from an operator to another software tool that is being operated by the adversary on a remote system. The traffic to\r\nand from this proxy server will be protected with the same simple XOR / ADD cipher used by the malware\r\nC6F78AD187C365D117CACBEE140F6230.\r\nStatic analysis indicates the OpenSSL library is used to implement a TLS/SSL initialization between the operator and this\r\nimplant. The malware will also use a rotating XOR / ADD cipher to secure communications from the remote operator -- in\r\naddition to the SSL encryption. During this initialization process the malware loads a private key from a file named\r\n'wbemhost.dll' (see Figure 11.) and a certificate from a file named 'netconf.dll'. The malware does not drop these two files,\r\ntherefore it is expected to be already dropped on the system using another method.\r\nAnalysis of this malware indicates it is designed to bind to and listen for incoming connections on port 443 of a victim’s\r\nsystem after disabling the firewall by modifying the following registry key:\r\n--Begin Firewall Reg Key Modified--\r\nSYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\r\nGloballyOpenPorts\\\\List\r\n--End Firewall Reg Key Modified--\r\nStatic analysis indicates the malware attempts to read configuration data from the following registry key:\r\n--Begin Config Registry Key --\r\nKey: SOFTWARE\\Microsoft\\windows\\CurrentVersion\\NetConfigs\r\nValue: Description\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 11 of 14\n\n--End Config Registry Key--\r\nThe registry key name is decrypted via RC4 and the malware will attempt to decrypt the contents by using RC4 if the key is\r\npresent on the victim's system. The malware binds and listens for C2 sessions on the victim's system (see Figure 12.). Once a\r\nC2 session is received on a binded port the malware will read the data by using the OpenSSL library and will decode it using\r\na simple rotating XOR / ADD cipher.\r\nAfter decrypting the incoming traffic the implant ensures it contains the following authentication value:\r\n--Begin Auth Value--\r\nqwertyuiop\r\n--End Auth Value--\r\nIf the authentication value exists, the implant knows the external operator wants to proxy traffic through to another location.\r\nThe malware will respond with the XOR / ADD encoded value \"asdfghjkl\" to let the operator know it is ready to proceed\r\nwith the proxy requests. Static analysis indicates the malware will connect to remote proxy servers via the Fake TLS\r\nprotocol mentioned in prior analysis. SSL encryption will not be used to secure communications between this implant and\r\nthe remote proxy servers -- it will simply use its embedded XOR / ADD cipher (view screenshot). The malware notifies the\r\nremote proxy server it wants to open a session by sending it the value \"1qazXSDC23we\". It then expects the remote proxy\r\nserver to respond with the value \"m*^\u0026^ghfge4wer\". If the remote proxy server does not respond with this value, the proxy\r\nsession will not continue.\r\nAnalysis indicates the malware also contains a large structure capable of gathering a great deal of information about the\r\nvictim's system including the computer named and attached adapters. If the following authentication value is received from\r\nthe external operator, the malware knows the operator wants to gather information about the victim's system:\r\n--Begin Auth Value--\r\nghfghjuyufgdgftr\r\n--End Auth Value--\r\nThe malware will then respond with the XOR / ADD encoded value \"q45tyu6hgvhi7^%$sdf\" to let the remote operator\r\nknow that it received the command to gather the system information (see Figure 13.). Static analysis indicates all network\r\ntraffic received and sent from this implant will be protected via a rotating XOR / ADD cipher. Additionally, the connection\r\nto the binded port by the C2 operator will be protected via SSL encryption. Whereas, the connections to the remote hosts\r\n(accessed via a proxy session) will be protected only via the cipher mentioned above (see Figures 14-15.).\r\nScreenshots\r\nFigure 13 -\r\nFigure 14 -\r\nFigure 11 -\r\nFigure 12 -\r\nFigure 15 -\r\nFigure 16 -\r\nFigure 17 -\r\nedd2aff8fad0c76021adc74fe3cb3cb1a02913a839ad0f2cf31fdea8b5aa8195\r\nTags\r\nbackdoorspywaretrojan\r\nDetails\r\nName D93B6A5C04D392FC8ED30375BE17BEB4\r\nSize 321730 bytes\r\nType Java archive data (JAR)\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 12 of 14\n\nMD5 d93b6a5c04d392fc8ed30375be17beb4\r\nSHA1 f862c2899c41a4d1120a7739cdaff561d2490360\r\nSHA256 edd2aff8fad0c76021adc74fe3cb3cb1a02913a839ad0f2cf31fdea8b5aa8195\r\nSHA512 709931cec37cedf4c5f84f1a2242e48c8465b97217be96a77627a83f317cbb1d0a1a1886955b982b0bf9b92ccf7ab1bef8d782622f81ce1eba\r\nssdeep 6144:1c35mQ6aHY0wxxp/2o0uK1uv8q8lY1pr/Cc800a0sdOQypHIKO9kxZ4:+J5Hlwxmo0Tuv8q8i3+c800NsdFyKKOR\r\nEntropy 7.989671\r\nAntivirus\r\nAhnlab Android-Spyware/Susdama.74c94\r\nAvira ANDROID/Agent.uytoi\r\nIkarus Trojan.AndroidOS.Agent\r\nNANOAV Trojan.Android.Mlw.femarh\r\nQuick Heal Android.Manuscrypt.GEN21990\r\nSophos Andr/Spy-ANK\r\nSymantec Backdoor.Trojan\r\nYara Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file is a malicious Android APK file. Static analysis indicates it is a RAT, which is designed to listen for incoming\r\nconnections to a compromised Android device, on port 60000.\r\nAnalysis indicates the Android app is capable of recording phone calls, taking screenshots using the device's embedded\r\ncamera, reading data from the device's contact manager, and downloading and uploading data from the compromised\r\nAndroid device. The application is also capable of executing commands on the compromised system and scanning for open\r\nWi-Fi channels.\r\nRelationship Summary\r\n93e13ffd2a... Contains da353b2845a354e1a3f671e4a12198e2c6f57a377d02dfaf90477869041a044f\r\nda353b2845... Contains 91650e7b0833a34abc9e51bff53cc05ef333513c6be038df29929a0a55310d9c\r\nda353b2845... Contained_Within 93e13ffd2a2f1a13fb9a09de1d98324f75b3f0f8e0c822857ed5ca3b73ee3672\r\n91650e7b08... Contained_Within da353b2845a354e1a3f671e4a12198e2c6f57a377d02dfaf90477869041a044f\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 13 of 14\n\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-888-282-0870 or contact@mail.cisa.dhs.gov .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.\r\nSource: https://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nhttps://www.us-cert.gov/ncas/analysis-reports/ar19-252a\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.us-cert.gov/ncas/analysis-reports/ar19-252a" ], "report_names": [ "ar19-252a" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434584, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f00a29c95f8ec8e83ba8d36d99aab3413c9ad850.pdf", "text": "https://archive.orkl.eu/f00a29c95f8ec8e83ba8d36d99aab3413c9ad850.txt", "img": "https://archive.orkl.eu/f00a29c95f8ec8e83ba8d36d99aab3413c9ad850.jpg" } }