{ "id": "5d11b3b2-c4d9-4270-9d43-2ba2daf86ed5", "created_at": "2026-04-06T00:20:02.836294Z", "updated_at": "2026-04-10T03:38:19.716008Z", "deleted_at": null, "sha1_hash": "f41be63e80159e6c6b8ef04f8a68ca000abb9ff9", "title": "MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 152238, "plain_text": "MAR-10295134-1.v1 – North Korean Remote Access Trojan:\r\nBLINDINGCAN | CISA\r\nPublished: 2020-08-19 · Archived: 2026-04-05 13:50:56 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between Cybersecurity and Infrastructure Security\r\nAgency (CISA) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI\r\nidentified Remote Access Trojan (RAT) malware variants used by the North Korean government. This malware variant has\r\nbeen identified as BLINDINGCAN. The U.S. Government refers to malicious cyber activity by the North Korean\r\ngovernment as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.\r\nFBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to\r\nmaintain a presence on victim networks and to further network exploitation. A threat group with a nexus to North Korea\r\ntargeted government contractors early this year to gather intelligence surrounding key military and energy technologies. The\r\nmalicious documents employed in this campaign used job postings from leading defense contractors as lures and installed a\r\ndata gathering implant on a victim's system. This campaign utilized compromised infrastructure from multiple countries to\r\nhost its command and control (C2) infrastructure and distribute implants to a victim's system. CISA and FBI are distributing\r\nthis MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.\r\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended\r\nmitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to\r\nCISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. The threat actor\r\nwhose activity is described in this report may have included images of logos and products, such as the examples in this\r\nreport, as a part of a social engineering strategy.\r\nCISA received four Microsoft Word Open Extensible Markup Language (XML) documents (.docx), two Dynamic-Link\r\nLibraries (DLLs). The .docx files attempt to connect to external domains for a download. A 32-bit and a 64-bit DLL was\r\nsubmitted that install a 32-bit and a 64-bit DLL named \"iconcache.db\" respectively. The DLL \"iconcache.db\" unpacks and\r\nexecutes a variant of Hidden Cobra RAT. It contains built-in functions for remote operations that provide various capabilities\r\non a victim’s system.\r\nFor a downloadable copy of IOCs, see MAR-10295134-1.v1.stix.\r\nSubmitted Files (6)\r\n0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6 (0FC12E03EE93D19003B2DD7117A66A...)\r\n158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17 (2_7955fa7ab32773d17e0e94efeea6...)\r\n586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e (1_6cea7290883f0527dbd3e2df6446...)\r\n6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1 (4_e7aa0237fc3db67a96ebd877806a...)\r\n7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971 (3_56470e113479eacda081c2eeead1...)\r\nd40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9 (D40AD4CD39350D718E189ADF45703E...)\r\nAdditional Files (6)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 1 of 35\n\n58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d (58027c80c6502327863ddca28c31d3...)\r\n7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd (7d507281e2e21476ff1af492ad9f57...)\r\n8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050 (8b53b519623b56ab746fdaf14d3eb4...)\r\nb70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9 (iconcache.db)\r\nbdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1 (e7718609577c6e34221b03de7e959a...)\r\nd5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5 (iconcache.db)\r\nDomains (4)\r\nagarwalpropertyconsultants.com\r\nanca-aste.it\r\nautomercado.co.cr\r\ncuriofirenze.com\r\nIPs (4)\r\n192.99.20.39\r\n199.79.63.24\r\n51.68.152.96\r\n54.241.91.49\r\nFindings\r\n586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e\r\nTags\r\ndownloadertrojan\r\nDetails\r\nName 1_6cea7290883f0527dbd3e2df64462684.8d179113e963d81adbf8d39ceff456afac3dae16.docx\r\nSize 184853 bytes\r\nType Microsoft Word 2007+\r\nMD5 6cea7290883f0527dbd3e2df64462684\r\nSHA1 8d179113e963d81adbf8d39ceff456afac3dae16\r\nSHA256 586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e\r\nSHA512 6d84696445a9339709edc25dfaa36766bcbc1a63aa41386280307a6314c9838a1fb347785becb91346ac9ed8fffe3804e01910e69945c6f41\r\nssdeep 3072:3wlGjFU9aU5M3Dr+YLLUb6WaTllr+YLLUb6WaTlmv13yK8RZOphF:3wl9aUOfJnUjaTltJnUjaTlmv178RyF\r\nEntropy 6.246619\r\nAntivirus\r\nNANOAV Exploit.Xml.CVE-2017-0199.equmby\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 2 of 35\n\n97 6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1\r\nRelationships\r\n586d012540... Connected_To agarwalpropertyconsultants.com\r\nDescription\r\nThis file is a .docx file that is a zipped file containing XML files in a directory structure.\r\nOnce opened in an application capable of displaying .docx files, the XML file\r\n\"1_6cea7290883f0527dbd3e2df64462684.8d179113e963d81adbf8d39ceff456afac3dae16.docx/word/_rels/settings.xml.rels\"\r\nattempts to connect to the following Uniform Resource Locator (URL) for a download:\r\n--Begin External URL--\r\nhxxps[:]//agarwalpropertyconsultants.com/assets/form/template/img/boeing_ia_cm.jpg\r\n--End External URL--\r\nThe download was not available at the time of analysis.\r\nScreenshots\r\nFigure 1 - Screenshot of \"1_6cea7290883f0527dbd3e2df64462684.8d179113e963d81adbf8d39ceff456afac3dae16.docx\".\r\nagarwalpropertyconsultants.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nhxxps[:]//agarwalpropertyconsultants.com/assets/form/template/img/boeing_ia_cm.jpg\r\nPorts\r\n443 TCP\r\nWhois\r\nDomain Name: AGARWALPROPERTYCONSULTANTS.COM\r\nRegistry Domain ID: 2430104516_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: Whois.bigrock.com\r\nRegistrar URL: www.bigrock.com\r\nUpdated Date: 2019-11-05T02:16:36Z\r\nCreation Date: 2019-09-05T06:07:18Z\r\nRegistrar Registration Expiration Date: 2020-09-05T06:07:18Z\r\nRegistrar: BigRock Solutions Ltd\r\nRegistrar IANA ID: 1495\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nRegistry Registrant ID: Not Available From Registry\r\nRegistrant City: Mumbai\r\nRegistrant State/Province: Other\r\nRegistrant Postal Code: 400102\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 3 of 35\n\nRegistrant Country: IN\r\nRegistry Admin ID: Not Available From Registry\r\nAdmin City: Mumbai\r\nAdmin State/Province: Other\r\nAdmin Postal Code: 400102\r\nAdmin Country: IN\r\nRegistry Tech ID: Not Available From Registry\r\nTech City: Mumbai\r\nTech State/Province: Other\r\nTech Postal Code: 400102\r\nTech Country: IN\r\nTech Phone: +91.9821112012\r\nName Server: ns1.bh-58.webhostbox.net\r\nName Server: ns2.bh-58.webhostbox.net\r\nDNSSEC: Unsigned\r\nRegistrar Abuse Contact Email: abuse@bigrock.com\r\nRegistrar Abuse Contact Phone: +1-415-349-0015\r\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\r\n\u003e\u003e\u003e Last update of WHOIS database: 2020-06-30T20:21:25Z \u003c\u003c\u003c\r\nRelationships\r\nagarwalpropertyconsultants.com Connected_From 586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e\r\nagarwalpropertyconsultants.com Resolved_To 199.79.63.24\r\nDescription\r\n\"1_6cea7290883f0527dbd3e2df64462684.8d179113e963d81adbf8d39ceff456afac3dae16.docx\" attempts to connect to this\r\ndomain.\r\n199.79.63.24\r\nWhois\r\nQueried whois.arin.net with \"n 199.79.63.24\"...\r\nNetRange: 199.79.62.0 - 199.79.63.255\r\nCIDR: 199.79.62.0/23\r\nNetName: PUBLICDOMAINREGISTRY-NETWORKS\r\nNetHandle: NET-199-79-62-0-1\r\nParent: NET199 (NET-199-0-0-0-0)\r\nNetType: Direct Allocation\r\nOriginAS: AS394695\r\nOrganization: PDR (PSUL-1)\r\nRegDate: 2012-01-13\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 4 of 35\n\nUpdated: 2018-11-29\r\nRef: https://rdap.arin.net/registry/ip/199.79.62.0\r\nOrgName: PDR\r\nOrgId: PSUL-1\r\nAddress: P.D.R Solutions LLC, 10, Corporate Drive, Suite 300\r\nCity: Burlington\r\nStateProv: MA\r\nPostalCode: 01803\r\nCountry: US\r\nRegDate: 2015-08-04\r\nUpdated: 2019-11-07\r\nRef: https://rdap.arin.net/registry/entity/PSUL-1\r\nOrgAbuseHandle: ABUSE5185-ARIN\r\nOrgAbuseName: Abuse Admin\r\nOrgAbusePhone: +1-415-230-0648\r\nOrgAbuseEmail: abuse@publicdomainregistry.com\r\nOrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE5185-ARIN\r\nOrgNOCHandle: NOC32406-ARIN\r\nOrgNOCName: NOC\r\nOrgNOCPhone: +1-415-230-0680\r\nOrgNOCEmail: noc@publicdomainregistry.com\r\nOrgNOCRef: https://rdap.arin.net/registry/entity/NOC32406-ARIN\r\nOrgTechHandle: TECH953-ARIN\r\nOrgTechName: Tech\r\nOrgTechPhone: +1-415-230-0680\r\nOrgTechEmail: ipadmin@publicdomainregistry.com\r\nOrgTechRef: https://rdap.arin.net/registry/entity/TECH953-ARIN\r\nOrgRoutingHandle: EIGAR-ARIN\r\nOrgRoutingName: eig-arin\r\nOrgRoutingPhone: +1-781-852-3200\r\nOrgRoutingEmail: eig-net-team@endurance.com\r\nOrgRoutingRef: https://rdap.arin.net/registry/entity/EIGAR-ARIN\r\nOrgNOCHandle: EIGAR-ARIN\r\nOrgNOCName: eig-arin\r\nOrgNOCPhone: +1-781-852-3200\r\nOrgNOCEmail: eig-net-team@endurance.com\r\nOrgNOCRef: https://rdap.arin.net/registry/entity/EIGAR-ARIN\r\nOrgDNSHandle: EIGAR-ARIN\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 5 of 35\n\nOrgDNSName: eig-arin\r\nOrgDNSPhone: +1-781-852-3200\r\nOrgDNSEmail: eig-net-team@endurance.com\r\nOrgDNSRef: https://rdap.arin.net/registry/entity/EIGAR-ARIN\r\nOrgTechHandle: EIGAR-ARIN\r\nOrgTechName: eig-arin\r\nOrgTechPhone: +1-781-852-3200\r\nOrgTechEmail: eig-net-team@endurance.com\r\nOrgTechRef: https://rdap.arin.net/registry/entity/EIGAR-ARIN\r\nRelationships\r\n199.79.63.24 Resolved_To agarwalpropertyconsultants.com\r\nDescription\r\nDomain \"agarwalpropertyconsultants.com\" resolved to this Internet Protocol (IP) address during analysis.\r\n158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17\r\nTags\r\ndownloaderloadertrojan\r\nDetails\r\nName 2_7955fa7ab32773d17e0e94efeea69cf4.e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a.docx\r\nSize 521644 bytes\r\nType Microsoft Word 2007+\r\nMD5 7955fa7ab32773d17e0e94efeea69cf4\r\nSHA1 e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a\r\nSHA256 158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17\r\nSHA512 aa773c54a764927c13db914169de9adde26210da8e223d54e206e9fa0b8720ded3d1fbfbbaf13d5cf40a46e1103f90889d6acb86b55515f01\r\nssdeep 12288:xnCB1YmAjh6oSdUocST5Uqpd4zRgE/CcftnPrqpd4zRgE/CcfI:tmA167dUo1FtpdSgEjlOpdSgEjA\r\nEntropy 7.915680\r\nAntivirus\r\nMcAfee Trojan-FRVP!2F8066356BC3\r\nNANOAV Exploit.Xml.CVE-2017-0199.equmby\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n158ddb8561... Connected_To anca-aste.it\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 6 of 35\n\nDescription\r\nThis is a .docx file that is a zipped container of XML files in a directory structure.\r\nOnce opened in an application capable of displaying .docx files, the XML file\r\n\"2_7955fa7ab32773d17e0e94efeea69cf4.e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a.docx/word/_rels/settings.xml.rels\"\r\nattempts to connect to the following URL for a download:\r\n--Begin External URL--\r\nhxxps[:]//www[.]anca-aste.it/uploads/form/boeing_iacm_logo.jpg\r\n--End External URL--\r\nThe download was not available at the time of analysis.\r\nScreenshots\r\nFigure 2 - Screenshot of \"2_7955fa7ab32773d17e0e94efeea69cf4.e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a.docx\".\r\n7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971\r\nTags\r\ndownloaderloadertrojan\r\nDetails\r\nName 3_56470e113479eacda081c2eeead153bf.c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e.docx\r\nSize 521660 bytes\r\nType Microsoft Word 2007+\r\nMD5 56470e113479eacda081c2eeead153bf\r\nSHA1 c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e\r\nSHA256 7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971\r\nSHA512 0111578f53189915a7f39f755087a283b60196283393d7979bc7a65f462c8af646579a57b0d4693bffdca0ceb92e2bad26720c4418b1cbb21\r\nssdeep 12288:GaF6pLikGz2wx0zqb/RXkIUsYqpd4zRgE/CcfLqpd4zRgE/CcftKv:GaspLiewxgi/lkIUs5pdSgEj+pdSgEjG\r\nEntropy 7.916144\r\nAntivirus\r\nAhnlab Downloader/Doc.Generic\r\nAntiy Trojan/Win32.Casdet\r\nAvira W97M/Dldr.Agent.iscqo\r\nBitDefender Trojan.GenericKD.33913186\r\nClamAV Win.Malware.Agent-8366038-0\r\nComodo Malware\r\nCyren DOCX/Gamaredon.A.gen!Camelot\r\nESET DOC/TrojanDownloader.Pterodo.A trojan\r\nEmsisoft Trojan.GenericKD.33913186 (B)\r\nIkarus Trojan-Downloader.DOC.Agent\r\nLavasoft Trojan.GenericKD.33913186\r\nMcAfee Trojan-FRVP!AF83AD63D2E3\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 7 of 35\n\nMicrosoft Security Essentials Trojan:Win32/Casdet!rfn\r\nNANOAV Exploit.Xml.CVE-2017-0199.equmby\r\nNetGate Trojan.Win32.Malware\r\nSophos Troj/DocDl-ZFL\r\nSymantec Trojan.Gen.NPE\r\nTrendMicro Trojan.9A84BBAC\r\nTrendMicro House Call Trojan.9A84BBAC\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n7933716892... Connected_To anca-aste.it\r\nDescription\r\nThis is a .docx file that is a zipped container of XML files in a directory structure.\r\nOnce opened in an application capable of displaying .docx files, the XML file\r\n\"3_56470e113479eacda081c2eeead153bf.c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e.docx/word/_rels/settings.xml.rels\"\r\nattempts to connect to the following URL for a download:\r\n--Begin External URL--\r\nhxxps[:]//www[.]anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg\r\n--End External URL--\r\nThe download was not available at the time of analysis.\r\nScreenshots\r\nFigure 3 - Screenshot of \"3_56470e113479eacda081c2eeead153bf.c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e.docx\".\r\n6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1\r\nTags\r\ndownloaderdropperloadertrojan\r\nDetails\r\nName 4_e7aa0237fc3db67a96ebd877806a2c88.0ecc687d741c7b009c648ef0de0a5d47213f37ff.docx\r\nSize 184848 bytes\r\nType Microsoft Word 2007+\r\nMD5 e7aa0237fc3db67a96ebd877806a2c88\r\nSHA1 0ecc687d741c7b009c648ef0de0a5d47213f37ff\r\nSHA256 6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1\r\nSHA512 771f7e5f68a48e38361f7b1b3c8cc5181a456582515d9b694f98cacd7c33e06dfb994d082c3d009b432fb9f9ecd1f3b194e92b998c203e4e4\r\nssdeep 3072:3wlGjFU9aU5M3Dr+YLLUb6WaTllr+YLLUb6WaTlmv13fK8RZOphN:3wl9aUOfJnUjaTltJnUjaTlmv1y8RyN\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 8 of 35\n\nEntropy 6.246580\r\nAntivirus\r\nAhnlab Downloader/MSOffice.Generic\r\nAntiy Trojan[Exploit]/MSOffice.CVE-2017-0199\r\nAvira W97M/Dldr.Agent.axzdz\r\nClamAV Win.Malware.Agent-8366007-0\r\nESET DOC/TrojanDownloader.Agent.BHQ trojan\r\nIkarus Trojan-Downloader.DOC.Agent\r\nMcAfee Trojan-FRVP!63178C414AF9\r\nMicrosoft Security Essentials Exploit:O97M/CVE-2017-0199!MTB\r\nNANOAV Exploit.Xml.CVE-2017-0199.equmby\r\nNetGate Trojan.Win32.Malware\r\nSophos Troj/DocDl-YVZ\r\nSymantec Trojan.Mdropper\r\nTrendMicro TROJ_FR.9B7AA4A0\r\nTrendMicro House Call TROJ_FR.9B7AA4A0\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\n97 586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e\r\nRelationships\r\n6a3446b8a4... Connected_To anca-aste.it\r\nDescription\r\nThis is a .docx file that is a zipped container of XML files in a directory structure.\r\nOnce opened in an application capable of displaying .docx files, one of its XML files\r\n(4_e7aa0237fc3db67a96ebd877806a2c88.0ecc687d741c7b009c648ef0de0a5d47213f37ff.docx/word/_rels/settings.xml.rels)\r\nconnects to the following URL for a download.\r\n--Begin External URL--\r\nhxxps[:]//www[.]anca-aste.it/uploads/form/boeing_jd_t034519.jpg\r\n--End External URL--\r\nThe download was not available at the time of analysis.\r\nScreenshots\r\nFigure 4 - Screenshot of \"4_e7aa0237fc3db67a96ebd877806a2c88.0ecc687d741c7b009c648ef0de0a5d47213f37ff.docx\".\r\nanca-aste.it\r\nTags\r\ncommand-and-control\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 9 of 35\n\nURLs\r\nhxxps[:]//www[.]anca-aste.it/uploads/form/boeing_iacm_logo.jpg\r\nhxxps[:]//www[.]anca-aste.it/uploads/form/boeing_jd_t034519.jpg\r\nhxxps[:]//www[.]anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg\r\nPorts\r\n443 TCP\r\nWhois\r\nDomain: anca-aste.it\r\nStatus: ok\r\nSigned: no\r\nCreated: 2006-03-02 00:00:00\r\nLast Update: 2019-07-22 01:05:20\r\nExpire Date: 2020-07-06\r\nRegistrant\r\nCreated: 2017-07-05 14:28:22\r\nLast Update: 2017-07-05 14:28:22\r\nAdmin Contact\r\nName: Gabriele Crepaldi\r\nOrganization: Gabriele Crepaldi\r\nAddress: Via Della Spiga 52, Milano, 20121, MI, IT\r\nCreated: 2017-07-05 14:28:22\r\nLast Update: 2017-07-05 14:28:22\r\nTechnical Contacts\r\nName: hidden\r\nOrganization: hidden\r\nRegistrar\r\nOrganization: CWNET srl\r\nName: CWNET-REG\r\nWeb: http://www.cwnet.it\r\nDNSSEC: no\r\nNameservers\r\nns.thetiscloud1.it\r\nns.thetiscloud2.it\r\nRelationships\r\nanca-aste.it Resolved_To 51.68.152.96\r\nanca-aste.it Connected_From 6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1\r\nanca-aste.it Connected_From 158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 10 of 35\n\nanca-aste.it Connected_From 7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971\r\nDescription\r\nFiles \"2_7955fa7ab32773d17e0e94efeea69cf4.e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a.docx\",\r\n\"3_56470e113479eacda081c2eeead153bf.c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e.docx\" and\r\n\"4_e7aa0237fc3db67a96ebd877806a2c88.0ecc687d741c7b009c648ef0de0a5d47213f37ff.docx\" attempt to connect to this\r\ndomain.\r\n51.68.152.96\r\nWhois\r\nQueried whois.ripe.net with \"-B 51.68.152.96\"...\r\n% Information related to '51.68.152.0 - 51.68.155.255'\r\n% Abuse contact for '51.68.152.0 - 51.68.155.255' is 'abuse@ovh.net'\r\ninetnum:        51.68.152.0 - 51.68.155.255\r\nnetname:        SD-1G-WAW1-W13B\r\ncountry:        PL\r\norg:            ORG-OS23-RIPE\r\nadmin-c:        OTC12-RIPE\r\ntech-c:         OTC12-RIPE\r\nstatus:         LEGACY\r\nmnt-by:         OVH-MNT\r\ncreated:        2018-07-27T14:04:34Z\r\nlast-modified: 2018-07-31T15:24:23Z\r\nsource:         RIPE\r\ngeoloc:         52.225524 21.049737\r\norganisation: ORG-OS23-RIPE\r\norg-name:     OVH Sp. z o. o.\r\norg-type:     OTHER\r\naddress:        ul. Swobodna 1\r\naddress:        50-088 Wroclaw\r\naddress:        Poland\r\ne-mail:         noc@ovh.net\r\nadmin-c:        OTC2-RIPE\r\nmnt-ref:        OVH-MNT\r\nmnt-by:         OVH-MNT\r\ncreated:        2005-09-02T12:40:01Z\r\nlast-modified: 2019-08-08T07:47:57Z\r\nsource:         RIPE\r\nrole:         OVH PL Technical Contact\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 11 of 35\n\naddress:        OVH Sp. z o. o.\r\naddress:        ul. Swobodna 1\r\naddress:        54-088 Wroclaw\r\naddress:        Poland\r\ne-mail:         noc@ovh.net\r\nadmin-c:        OK217-RIPE\r\ntech-c:         GM84-RIPE\r\nnic-hdl:        OTC12-RIPE\r\nabuse-mailbox: abuse@ovh.net\r\nnotify:         noc@ovh.net\r\nmnt-by:         OVH-MNT\r\ncreated:        2009-09-16T16:09:56Z\r\nlast-modified: 2019-08-08T07:50:01Z\r\nsource:         RIPE\r\n% Information related to '51.68.0.0/16AS16276'\r\nroute:         51.68.0.0/16\r\norigin:         AS16276\r\nmnt-by:         OVH-MNT\r\ncreated:        2018-03-07T09:22:39Z\r\nlast-modified: 2018-03-07T09:22:39Z\r\nsource:         RIPE\r\n% This query was served by the RIPE Database Query Service version 1.97.2 (HEREFORD)\r\nRelationships\r\n51.68.152.96 Resolved_To anca-aste.it\r\nDescription\r\nDomain \"anca-aste.it\" resolved to this IP during analysis.\r\nd40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9\r\nTags\r\ndroppertrojan\r\nDetails\r\nName D40AD4CD39350D718E189ADF45703EB3A3935A7CF8062C20C663BC14D28F78C9\r\nSize 724480 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 18cfd7e01da5d30a27a885164d5a7b9b\r\nSHA1 40c5103cd9681a2830667957f3e3d037fd25b6c9\r\nSHA256 d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 12 of 35\n\nSHA512 6724ed963fa7ffd1cb3b76a72890b385bcd080a66428f18531f1432a973896d98e9405bd02952ae81b4a6d6294a73cde5911e9998e4f9dae5\r\nssdeep 12288:u4VYMsRKftZAli/I9j2OShndRYMaU4vdXScW2EmBYWK323b1zvpjUSqon01y:jwKbA9XSJ4i4vdEGYfahBjk5\r\nEntropy 7.960508\r\nAntivirus\r\nBitDefender Gen:Trojan.Heur.Su4@!RdqOMbi\r\nEmsisoft Gen:Trojan.Heur.Su4@!RdqOMbi (B)\r\nLavasoft Gen:Trojan.Heur.Su4@!RdqOMbi\r\nSymantec Heur.AdvML.B\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2020-05-20 02:03:53-04:00\r\nImport Hash 513e6f9be441b608d02560144adad488\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n6dead31f52ae9c89182635c7bc5363ff header 1024 2.447679\r\n4eb9a889d49c201486c6a9844c0a3861 .text 28160 6.512256\r\n2564f80bde6880569bc81d572ffd85c6 .rdata 9216 4.772079\r\n4f06d9f35e1f31817d4205f0cda45316 .data 680448 7.992807\r\naedd1ea7e39bc6c20eb7c1a31ee31945 .rsrc 512 5.114293\r\n4de4bb5980c9ffde6d9809bca8589667 .reloc 5120 3.162603\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ DLL *sign by CodeRipper\r\nRelationships\r\nd40ad4cd39... Dropped b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\r\nDescription\r\nThis application is a 32-bit DLL. Upon execution, it decodes an embedded Ultimate Packer for Executables (UPX) packed\r\nDLL using a hard-coded XOR key: \"0x59\". The decoded DLL is installed and executed from\r\n\"C:\\ProgramData\\iconcache.db\" (b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9) with the\r\nfollowing command:\r\n--Begin Command--\r\n\"C:\\Windows\\System32\\rundll32.exe C:\\ProgramData\\iconcache.db,SMain S-6-12-2371-68143633-837395-7851\"\r\n--End Command--\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 13 of 35\n\nb70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\r\nTags\r\nobfuscatedremote-access-trojan\r\nDetails\r\nName iconcache.db\r\nSize 676864 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed\r\nMD5 c627db421adaaa320d3ac42396c89f8a\r\nSHA1 dcf95cd96203e794724fc14e454e63fba9afe82a\r\nSHA256 b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\r\nSHA512 bcc0a6688b5a282802700382d72e11663015946a95c701df82fdab164b6ef6889e180617a284e604e931ffc046ec1fd20ac6e20357ec916ba\r\nssdeep 12288:UloPYtyI4lSa/gwZyVJKlI/mjGENKw4tv1ALs7wboS:eoQp4lSWgwZy6lUkh4N2Ls7w\r\nEntropy 7.994989\r\nPath C:\\ProgramData\\iconcache.db\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-10-30 22:22:32-04:00\r\nImport Hash bddf350b1495019b036eb25682895735\r\nCompany Name TODO: \u003cCompany name\u003e\r\nFile Description TODO: \u003cFile description\u003e\r\nInternal Name MFC_DLL.dll\r\nLegal Copyright TODO: (c) \u003cCompany name\u003e. All rights reserved.\r\nOriginal Filename MFC_DLL.dll\r\nProduct Name TODO: \u003cProduct name\u003e\r\nProduct Version 1.0.0.1\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nee27480742e19dfbbedf334ca52aafa5 header 1024 2.713911\r\nd41d8cd98f00b204e9800998ecf8427e UPX0 0 0.000000\r\nf13bc7e5f532956e1c5490d27d9b9eb0 UPX1 670720 7.999480\r\n80eb6e1fc17919b7444d34b73621166f .rsrc 5120 3.981460\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 14 of 35\n\nPackers/Compilers/Cryptors\r\nACProtect 1.3x - 1.4x DLL -\u003e Risco Software Inc.\r\nRelationships\r\nb70e66d387... Connected_To curiofirenze.com\r\nb70e66d387... Connected_To automercado.co.cr\r\nb70e66d387... Dropped_By d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9\r\nb70e66d387... Contains bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1\r\nb70e66d387... Contains 7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd\r\nDescription\r\nThis application is a 32-bit UPX packed DLL installed by\r\nd40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9 into the C:\\ProgramData\\iconcache.db\"\r\ndirectory. During execution, it uses the Advanced Encryption Standard (AES) cipher to decrypt and then decompress two\r\nembedded DLL binaries \"bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1\" and\r\n\"7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd\" in memory. These binaries are loaded and\r\nexecuted in memory during runtime.\r\nbdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1\r\nTags\r\nbackdoorremote-access-trojantrojan\r\nDetails\r\nName e7718609577c6e34221b03de7e959a8c\r\nSize 163840 bytes\r\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 e7718609577c6e34221b03de7e959a8c\r\nSHA1 97d24ac0d773f6260ab512fa496099b3289210db\r\nSHA256 bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1\r\nSHA512 95aab6ef454c364b63002df7949c33602964d0905b4a23511bd9462aa5037c71a933f8bf3a3d650be76926e92bcf39e362a047c2da3da727\r\nssdeep 1536:/XhDZIPNWfFTIL1uWPgNquuGCoGSfYz57wmF87GbSaW1nqBQlBS4AF3TIhrim:/xwWmBLPgNZeTSfE5UmfQqT3TIhW\r\nEntropy 5.585632\r\nAntivirus\r\nAhnlab Backdoor/Win32.Akdoor\r\nESET a variant of Win32/NukeSped.GT trojan\r\nSymantec Heur.AdvML.B\r\nYARA Rules\r\nrule CISA_10135536_06 : trojan rat HIDDENCOBRA BLINDINGCAN\r\n{\r\n   meta:\r\n       Author = \"CISA Code \u0026 Media Analysis\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 15 of 35\n\nIncident = \"10135536\"\r\n       Date = \"2018-05-04\"\r\n       Actor = \"HiddenCobra\"\r\n       Category = \"Trojan RAT\"\r\n       Family = \"BLINDINGCAN\"\r\n       Description = \"Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT\"\r\n       MD5_1 = \"f9e6c35dbb62101498ec755152a8a67b\"\r\n       SHA256_1 = \"1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954\"\r\n       MD5_2 = \"d742ba8cf5b24affdf77bc6869da0dc5\"\r\n       SHA256_2 = \"7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799\"\r\n       MD5_3 = \"aefcd8e98a231bccbc9b2c6d578fc8f3\"\r\n       SHA256_3 = \"96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a\"\r\n       MD5_4 = \"3a6b48871abbf2a1ce4c89b08bc0b7d8\"\r\n       SHA256_4 = \"f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3\"\r\n   strings:\r\n       $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }\r\n       $s1 = { 50 4D 53 2A 2E 74 6D 70 }\r\n       $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }\r\n   condition:\r\n       any of them\r\n}\r\nrule CISA_10295134_01 : rat trojan HIDDENCOBRA BLINDINGCAN\r\n{\r\n   meta:\r\n       Author = \"CISA Code \u0026 Media Analysis\"\r\n       Incident = \"10295134\"\r\n       Date = \"2020-07-28\"\r\n       Last_Modified = \"20200730_1030\"\r\n       Actor = \"HiddenCobra\"\r\n       Category = \"Trojan RAT\"\r\n       Family = \"BLINDINGCAN\"\r\n       Description = \"Detects 32 and 64bit HiddenCobra BlindingCan Trojan RAT\"\r\n       MD5_1 = \"e7718609577c6e34221b03de7e959a8c\"\r\n       SHA256_1 = \"bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1\"\r\n       MD5_2 = \"6c2d15114ebdd910a336b6b147512a74\"\r\n       SHA256_2 = \"58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\"\r\n   strings:\r\n       $s0 = { C7 44 24 20 0D 06 09 2A C7 44 24 24 86 48 86 F7 C7 44 24 28 0D 01 01 01 C7 44 24 2C 05 00 03 82 }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 16 of 35\n\n$s1 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }\r\n   condition:\r\n       $s0 or $s1\r\n}\r\nssdeep Matches\r\n93 5665fa000b3cd52ceae755d35ca698e50cfb9c952cfdc70610b3a262e87be210\r\nPE Metadata\r\nCompile Date 2020-05-19 03:26:30-04:00\r\nImport Hash 920679e3a916eba5c0309f6381f49d76\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n3c4d32746197a23e043dec30c3f17502 header 1024 2.462178\r\nc7b7bc3bf34654bd45c303561f9359e1 .text 81920 6.658611\r\na0605f0296280e16d350cf78eb70a0d3 .rdata 25088 6.630270\r\n88750685639a22c3e4bcb15f40390ff9 .data 12800 3.648302\r\n51741feb8529e34f47173f59abe8b19b .rsrc 512 5.105616\r\nb87183316e04b075a0da8e286b297fdb .reloc 7680 5.057386\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ DLL *sign by CodeRipper\r\nRelationships\r\nbdfd16dc53... Contained_Within b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\r\nbdfd16dc53... Connected_To curiofirenze.com\r\nbdfd16dc53... Connected_To automercado.co.cr\r\nDescription\r\nThis application is a malicious 32-bit DLL unpacked and executed by\r\n\"b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\". This binary has been identified as a variant\r\nof a Hidden Cobra RAT. This file contains embedded configuration data (2704 bytes). The data is decrypted using a hard-coded AES decryption key \"XEUFC1L3DF3C2ROU\" before being decoded using an XOR cipher. Displayed below is the\r\ncontent of the decoded data:\r\n--Begin configuration data--\r\nhxxps[:]//www[.]automercado.co.cr/empleo/css/main.jsp\r\nhxxps[:]//www[.]automercado.co.cr/empleo/css/main.jsp\r\nhxxps[:]//www[.]automercado.co.cr/empleo/css/main.jsp\r\nhxxps[:]//www[.]curiofirenze.com/include/inc-site.asp\r\nhxxps[:]//www[.]curiofirenze.com/include/inc-site.asp\r\nc:\\windows\\system32\\cmd.exe\r\n%temp%\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 17 of 35\n\n--End configuration data--\r\nThe malware decrypts its strings using a hard-coded RC4 key: \"0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82\".\r\nDisplayed below are sample decrypted strings observed during analysis:\r\n--Begin decrypted strings--\r\n\"Hardware\\Description\\System\\CentralProcessor\\0\"\r\n\"ProcessorNameString\"\r\n\"boardid, bbsNo, strBoardID, userid, bbsfilename, code, pidseqNo, ReportID, v, PageNumbernumviewread, action,\r\npagemodeidx, cateId, bbsId, pType, pcode, index, tblidx_num, act, bbs_id, bbs_form, bidbbscate, menutcode, b_code,\r\nbname, tb, borad01, borad02, borad03, midnewsid, table, Board_seq, bc_idx, seqArticleIDB_Notice, nowPage, webid,\r\nboardDiv, sub_idx\"\r\n\"\\\\tsclient\\\"\r\n--End decrypted strings--\r\nIt collects the following information about the victim's system and beacons the collected data to the C2 \"curiofirenze.com\"\r\nand\r\n\"automercado.co.cr\":\r\n--Begin system information--\r\nOperating system (OS) version information\r\nProcessor information\r\nSystem name\r\nLocal IP address information\r\nMedia access control (MAC) address.\r\n--End system information--\r\nIt attempts to retrieve the User-Agent string from the victim's system. If not available, it uses the following embedded User-Agent string:\r\n--Begin User-Agent String--\r\n\"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98\r\nSafari/537.36\" .\r\n--End User-Agent String--\r\nIt will generate HTTP POST requests with the following format:\r\n--Begin HTTP POST format--\r\nPOST /\u003curi\u003e HTTP/1.1\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: */*\r\nUser-Agent: \u003cobtained from ObtainUserAgentString otherwise: Mozilla/5.0 (Windows NT 10.0; WOW64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 \u003e\r\nHost: \u003cdomain\u003e\r\nContent-Length: \u003clength\u003e\r\nid=\u003cnine random character generated RC4 key\u003e\u003cthree_random_param_selected\u003e\u0026\u003csecond parameter\u003e=\u003csessionID\u003e\u0026\r\n\u003cthird parameter \u003e=\u003chard-coded_String\u003e\u0026\u003cfourth parameter\u003e=\u003cdatagram\u003e\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 18 of 35\n\n--End HTTP POST format--\r\nThe HTTP POST body contains four parameters of Base64 encoded data as displayed below:\r\n--Begin four parameters--\r\nFour parameters: id=\u003cnine random character generated RC4 key\u003e\u003cthree_random_param_selected\u003e\u0026\u003csecond parameter\u003e=\r\n\u003csessionID\u003e\u0026\u003cthird parameter \u003e=\u003chard-coded_String\u003e\u0026\u003cfourth parameter\u003e=\u003cdatagram\u003e\r\nSample:\r\nid=Z2ptZmx0b250JpzkM7R+AAxesq7t1Eo4Dg==\u0026page=bsyybw==\u0026bbsNo=AszBYcolV00l69W9ihtkLg==\u0026bname=\"\r\n--End four parameters--\r\nThe first parameter tag, 'id=', will consist of two separate Base64 encoded parts. The first part consists of a Base64 encoded\r\nnine random generated lower case character RC4 key used for encryption. The second part of the 'id=' parameter tag will\r\ncontain three parameters randomly selected from a list of the below strings. These three randomly selected name tags are\r\ncolon delimited and stored in the following format:\"first name tag:second name tag:third name tag\". This data is encrypted\r\nusing the nine random character generated RC4 key and Base64 encoded.\r\n--Begin randomly selected string tags--\r\n\"boardid, bbsNo, strBoardID, userid, bbsfilename, code, pidseqNo, ReportID, v, PageNumbernumviewread, action,\r\npagemodeidx, cateId, bbsId, pType, pcode, index, tblidx_num, act, bbs_id, bbs_form, bidbbscate, menutcode, b_code,\r\nbname, tb, borad01, borad02, borad03, midnewsid, table, Board_seq, bc_idx, seqArticleIDB_Notice, nowPage, webid,\r\nboardDiv, sub_idx\"\r\n--End randomly selected string tags--\r\nThe second parameter tag 'page=' is a randomly selected name from the list of the above string tags which contains the\r\n\"session id\" data. This data is encrypted using the same generated RC4 key before Base64 encoded.\r\nThe third parameter tag 'bbsNo=' is a randomly selected name from a list of the above string tags which contains a hard-coded string data \"T1B7D95256A2001E\" in the malware. This data is encrypted using the RC4 key and then the data is\r\nBase64 encoded. Analysis indicates that when encrypting data from the first three parameters, the encryption starts \"0xC00\r\nbytes\" into the RC4 key stream.\r\nThe fourth parameter tag 'bname=' is a randomly selected name from the list of the above string tags which contains the\r\ndatagram to be sent. The datagram is encrypted with a combination of RC4 and differential XOR. The RC4 key used is \"0D\r\n06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82\".\r\nIt contains the following built-in functions for remote operations that provide various capabilities on a victim’s system:\r\n--Begin built-in functions--\r\nRetrieve information about all installed disks, including the disk type and the amount of free space on the disk\r\nCreate, start, and terminate a new process and its primary thread\r\nSearch, read, write, move, and execute files\r\nGet and modify file or directory timestamps\r\nChange the current directory for a process or file\r\nDelete malware and artifacts associated with the malware from the infected system\r\n--End built-in functions--\r\n7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd\r\nTags\r\nHIDDEN-COBRA\r\nDetails\r\nName 7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd\r\nSize 163840 bytes\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 19 of 35\n\nType PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nMD5 6f329c32f228d9a4d856afd4794c7f2b\r\nSHA1 4be9aecc0fc76c037420ece97645c6a32294a230\r\nSHA256 7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd\r\nSHA512 f4aff0e36fb98d64ff207a983ca7ed10c11ad7b01953b545c655a3349016f9d6c5fbd3cc8d44851cb68c51f069da2469b1e3445cd60b6e1365\r\nssdeep 384:vNV+PKlwRYnd2dPugCkPV59FYRz8xM6hwXlbfR+1nu6EDH+zj+1XoNC3vyFAt1:vNIKip92x8rhOdmnTEDwu3vy\r\nEntropy 1.605796\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-10-30 22:21:48-04:00\r\nImport Hash 75588d29242e426f361ddcf8c53954f5\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n0452202027da519acb3a7d074696de07 header 1024 2.351340\r\nae1c3feb6a3beda4db0ce8c794af77e7 .text 17920 6.473020\r\nc139714dd00b81eb08ecaf32bdced254 .rdata 8192 4.655148\r\n0685a556cdaa359c306b3c7830fc6f1e .data 3072 2.403876\r\na2b361aa5b6f2d5912845d84ca96a368 .rsrc 512 5.105029\r\nd2e652e58f57bd6314d5ebf8f59687e9 .reloc 2048 5.497034\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ DLL *sign by CodeRipper\r\nRelationships\r\n7d507281e2... Contained_Within b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\r\nDescription\r\nThis application is a 32-bit DLL unpacked and executed by\r\n\"b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\". This file is designed to unmap the DLL\r\n\"C:\\ProgramData\\iconcache.db\" loaded in the process.\r\n0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6\r\nTags\r\ndownloaderdropper\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 20 of 35\n\nDetails\r\nName 0FC12E03EE93D19003B2DD7117A66A3DA03BD6177AC6EB396ED52A40BE913DB6\r\nSize 900096 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 b1dd2c73b3c13a147828f7bb4389d241\r\nSHA1 5275449d25a64e7415c1c1e727a0af76b08c2811\r\nSHA256 0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6\r\nSHA512 054b8c4345e97aa4719415971cb5df83f208a2c11302baba66392251a5d7d8251e564443fd4716d82cacf2a5da94250cc8defd9300e088503\r\nssdeep 12288:sXcnHdDS0zaEw2W912s3xN+JgHGJNfKAyhnB8EoarWY9ZtvaBmBJnLoAFMx8wIWF:sMH9S8avT2Ex5mJNfbyYBaaY9Ly\r\nEntropy 7.961146\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2020-05-20 02:03:51-04:00\r\nImport Hash 65793cf7eaeca085293db7251eb4469a\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\na1c37a2c9fedecabe570383d81bfb5d6 header 1024 2.524544\r\n61e11f8acaaf9d065546a237ced1e964 .text 31744 6.348358\r\n9f1fe9ee707daa61e91ad94d618b066f .rdata 11264 4.687720\r\n300ac7ec543fda0fab22c110a7d26281 .data 850432 7.993358\r\nda2a58c7e17c14ced8b67bc462ad7427 .pdata 2048 4.219318\r\n531f04a4abeb58f9e10fffc6afe98250 .rsrc 512 5.110827\r\n58c4168b836758e380e64f12eca00760 .reloc 3072 1.006647\r\nRelationships\r\n0fc12e03ee... Dropped d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\r\nDescription\r\nThis application is a 64-bit DLL. Upon execution, it decodes an embedded 64-bit UPX packed DLL using a hard-coded\r\nXOR key: \"0x59\". The decoded DLL is installed and executed from \"C:\\ProgramData\\iconcache.db\"\r\n(d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5) with the following command:\r\n--Begin Command--\r\n\"C:\\Windows\\System32\\rundll32.exe C:\\ProgramData\\iconcache.db,SMain S-7-43-8423-97048307-383378-8483\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 21 of 35\n\n--End Command--\r\nd5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\r\nTags\r\nobfuscatedremote-access-trojan\r\nDetails\r\nName iconcache.db\r\nSize 845312 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 c2c5751cdfdbe9fac44337d4cb6e74e4\r\nSHA1 02678efe715ff2658c6a4c2b596046b744a8b222\r\nSHA256 d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\r\nSHA512 dddd82c21ee815a570689c8023f51267a2699346eadb8cf5cb6a2bfc4e0404ab8388608e934c03b8b69819bab1b5252ed8b29391f543a1c1\r\nssdeep 24576:aSiVfP99Z7QI32TVKBixBWfSVz5HlWkZtk:aSMH94/TVKsfGc9Iqt\r\nEntropy 7.996450\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-10-30 22:22:27-04:00\r\nImport Hash bddf350b1495019b036eb25682895735\r\nCompany Name TODO: \u003cCompany name\u003e\r\nFile Description TODO: \u003cFile description\u003e\r\nInternal Name MFC_DLL.dll\r\nLegal Copyright TODO: (c) \u003cCompany name\u003e. All rights reserved.\r\nOriginal Filename MFC_DLL.dll\r\nProduct Name TODO: \u003cProduct name\u003e\r\nProduct Version 1.0.0.1\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nbbdf7f1c6cfdab4beb23ae1f5e5e8e3f header 1024 2.753386\r\nd41d8cd98f00b204e9800998ecf8427e UPX0 0 0.000000\r\n61de5945f98a8652eaf4ae5b93b41128 UPX1 838656 7.999757\r\n70b01a5a98c1febe2bde96c9270957c3 .rsrc 5632 3.718427\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 22 of 35\n\nRelationships\r\nd5186efd85... Connected_To curiofirenze.com\r\nd5186efd85... Connected_To automercado.co.cr\r\nd5186efd85... Dropped_By 0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6\r\nd5186efd85... Contains 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\r\nd5186efd85... Contains 8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050\r\nDescription\r\nThis application is a 64-bit UPX packed DLL installed by\r\n\"0FC12E03EE93D19003B2DD7117A66A3DA03BD6177AC6EB396ED52A40BE913DB6\" into the\r\nC:\\ProgramData\\iconcache.db\" directory. During execution, it uses AES cipher to decrypt and then decompress two\r\nembedded 64-bit DLL binaries \"58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\" and\r\n\"8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050\" in memory. These binaries are loaded and\r\nexecuted in memory during runtime.\r\n58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\r\nTags\r\nHIDDEN-COBRA\r\nDetails\r\nName 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\r\nSize 214608 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 6c2d15114ebdd910a336b6b147512a74\r\nSHA1 9feef1eed2a8a5cbfe1c6478f2740d8fe63305e2\r\nSHA256 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\r\nSHA512 77fd1d56a0f0cf143286fb78519b69eb8ef30f383c117d353ab16d0be5f2bfdbdb847d717dbc8b70b5d806a46fa4a1dc29a8304b8349bc109\r\nssdeep 3072:WvG/9l8VoAo8gj83efR0TmXBlPbAjoSrL90z1agX:0VoAo8qlWTmXBlPbAjHl0j\r\nEntropy 4.709829\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nrule CISA_10295134_01 : rat trojan HIDDENCOBRA BLINDINGCAN\r\n{\r\n   meta:\r\n       Author = \"CISA Code \u0026 Media Analysis\"\r\n       Incident = \"10295134\"\r\n       Date = \"2020-07-28\"\r\n       Last_Modified = \"20200730_1030\"\r\n       Actor = \"HiddenCobra\"\r\n       Category = \"Trojan RAT\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 23 of 35\n\nFamily = \"BLINDINGCAN\"\r\n       Description = \"Detects 32 and 64bit HiddenCobra BlindingCan Trojan RAT\"\r\n       MD5_1 = \"e7718609577c6e34221b03de7e959a8c\"\r\n       SHA256_1 = \"bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1\"\r\n       MD5_2 = \"6c2d15114ebdd910a336b6b147512a74\"\r\n       SHA256_2 = \"58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\"\r\n   strings:\r\n       $s0 = { C7 44 24 20 0D 06 09 2A C7 44 24 24 86 48 86 F7 C7 44 24 28 0D 01 01 01 C7 44 24 2C 05 00 03 82 }\r\n       $s1 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }\r\n   condition:\r\n       $s0 or $s1\r\n}\r\nssdeep Matches\r\n90 20ee5fdc9589067a7a312d6f660f0c8f33048f511975298ca6a9bfed145fe8fd\r\n100 78a65874b49922217fd0423cc6293a23f70cb804022283ed3187b71178663ca3\r\nPE Metadata\r\nCompile Date 2020-05-19 03:26:27-04:00\r\nImport Hash af2479dbb1f93be4fc4a092cbbd4df85\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n6066ee1e6c73fe6133738f26cf898280 header 1024 2.581998\r\nbfbe6f46025a25810199ae50f7f7ed04 .text 90624 6.498666\r\n2cc742e33c53aeb638e9798422f8adaa .rdata 31232 6.194223\r\n21c81d1a5ad5583610f1bcb7827fec54 .data 14336 3.377777\r\n0a93a2ad9833deb5581854bc11c7fcb7 .pdata 3584 4.918413\r\n9a33838895830247744985365b8b2948 .rsrc 512 5.115767\r\ne032dedb2f8e5a189a3a98897f1f7f92 .reloc 1536 2.852342\r\nRelationships\r\n58027c80c6... Contained_Within d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\r\n58027c80c6... Connected_From curiofirenze.com\r\n58027c80c6... Connected_From automercado.co.cr\r\nDescription\r\nThis application is a malicious 64-bit DLL unpacked and executed by\r\n\"d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\". This binary has been identified as a 64-bit\r\nversion of the Hidden Cobra RAT \"bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1\". This file\r\ncontains the same embedded configuration data. The embedded data is decrypted using a hard-coded AES decryption key:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 24 of 35\n\n\"81SNWX3ALGPDMW5V\". The decrypted data is decoded using an XOR cipher. Displayed below is the content of the\r\ndecoded data:\r\n--Begin configuration data--\r\nhttps[:]//www[.]automercado.co.cr/empleo/css/main.jsp\r\nhttps[:]//www[.]automercado.co.cr/empleo/css/main.jsp\r\nhttps[:]//www[.]automercado.co.cr/empleo/css/main.jsp\r\nhttps[:]//www[.]curiofirenze.com/include/inc-site.asp\r\nhttps[:]//www[.]curiofirenze.com/include/inc-site.asp\r\nc:\\windows\\system32\\cmd.exe\r\n%temp%\r\n--End configuration data--\r\nThe malware decrypts its strings using a hard-coded RC4 key \"0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82\".\r\nDisplayed below are sample decrypted strings observed during analysis:\r\n--Begin decrypted strings--\r\n\"Hardware\\Description\\System\\CentralProcessor\\0\"\r\n\"ProcessorNameString\"\r\n\"boardid, bbsNo, strBoardID, userid, bbsfilename, code, pidseqNo, ReportID, v, PageNumbernumviewread, action,\r\npagemodeidx, cateId, bbsId, pType, pcode, index, tblidx_num, act, bbs_id, bbs_form, bidbbscate, menutcode, b_code,\r\nbname, tb, borad01, borad02, borad03, midnewsid, table, Board_seq, bc_idx, seqArticleIDB_Notice, nowPage, webid,\r\nboardDiv, sub_idx\"\r\n\"\\\\tsclient\\\"\r\n--End decrypted strings--\r\nIt collects the following information about the victim's system and beacons the collected data to the C2 \"curiofirenze.com\"\r\nand\r\n\"automercado.co.cr\":\r\n--Begin system information--\r\nOperating system (OS) version information\r\nProcessor information\r\nSystem name\r\nLocal IP address information\r\nMedia access control (MAC) address.\r\n--End system information--\r\nIt attempts to retrieve the User-Agent string from the victim's system, if not available, it uses the following embedded User-Agent string:\r\n--Begin User-Agent String--\r\n\"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98\r\nSafari/537.36\" .\r\n--End User-Agent String--\r\nIt will generate HTTP POST requests with the following format:\r\n--Begin HTTP POST format--\r\nPOST /\u003curi\u003e HTTP/1.1\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 25 of 35\n\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: */*\r\nUser-Agent: \u003cobtained from ObtainUserAgentString otherwise: Mozilla/5.0 (Windows NT 10.0; WOW64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 \u003e\r\nHost: \u003cdomain\u003e\r\nContent-Length: \u003clength\u003e\r\nid=\u003cnine random character generated RC4 key\u003e\u003cthree_random_param_selected\u003e\u0026\u003csecond parameter\u003e=\u003csessionID\u003e\u0026\r\n\u003cthird parameter \u003e=\u003chard-coded_String\u003e\u0026\u003cfourth parameter\u003e=\u003cdatagram\u003e\r\n--End HTTP POST format--\r\nThe HTTP POST body contains four parameters of Base64 encoded data as displayed below:\r\n--Begin four parameters--\r\nFour parameters: id=\u003cnine random character generated RC4 key\u003e\u003cthree_random_param_selected\u003e\u0026\u003csecond parameter\u003e=\r\n\u003csessionID\u003e\u0026\u003cthird parameter \u003e=\u003chard-coded_String\u003e\u0026\u003cfourth parameter\u003e=\u003cdatagram\u003e\r\nSample:\r\nid=Z2ptZmx0b250JpzkM7R+AAxesq7t1Eo4Dg==\u0026page=bsyybw==\u0026bbsNo=AszBYcolV00l69W9ihtkLg==\u0026bname=\"\r\n--End four parameters--\r\nThe first parameter tag, 'id=', will consist of two separate Base64 encoded parts. The first part consists of a Base64 encoded\r\nnine random generated lower case character RC4 key used for encryption. The second part of the 'id=' parameter tag will\r\ncontain three parameters randomly selected from a list of the below strings. These three randomly selected name tags are\r\ncolon delimited and stored in the following format:\"first name tag:second name tag:third name tag\". This data is encrypted\r\nusing the nine random character generated RC4 key and Base64 encoded.\r\n--Begin randomly selected string tags--\r\n\"boardid, bbsNo, strBoardID, userid, bbsfilename, code, pidseqNo, ReportID, v, PageNumbernumviewread, action,\r\npagemodeidx, cateId, bbsId, pType, pcode, index, tblidx_num, act, bbs_id, bbs_form, bidbbscate, menutcode, b_code,\r\nbname, tb, borad01, borad02, borad03, midnewsid, table, Board_seq, bc_idx, seqArticleIDB_Notice, nowPage, webid,\r\nboardDiv, sub_idx\"\r\n--End randomly selected string tags--\r\nThe second parameter tag 'page=' is a randomly selected name from the list of the above string tags which contains the\r\n\"session id\" data. This data is encrypted using the same generated RC4 key before Base64 encoded.\r\nThe third parameter tag 'bbsNo=' is a randomly selected name from the list of the above string tags which contains a hard-coded string data \"T1B7D95256A2001E\" in the malware. This data is encrypted using the RC4 key and then the data is\r\nBase64 encoded. Analysis indicates that when encrypting data from the first three parameters, the encryption starts \"0xC00\r\nbytes\" into the RC4 key stream.\r\nThe fourth parameter tag 'bname=' is a randomly selected name from a list of the above string tags which contains the\r\ndatagram to be sent. The datagram is encrypted with a combination of RC4 and differential XOR. The RC4 key used is \"0D\r\n06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82\".\r\nIt contains the following built-in functions for remote operations that provide various capabilities on a victim’s system:\r\n--Begin built-in functions--\r\nRetrieve information about all installed disks, including the disk type and the amount of free space on the disk\r\nCreate, start, and terminate a new process and its primary thread\r\nSearch, read, write, move, and execute files\r\nGet and modify file or directory timestamps\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 26 of 35\n\nChange the current directory for a process or file\r\nDelete malware and artifacts associated with the malware from the infected system\r\n--End built-in functions--\r\n8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050\r\nDetails\r\nName 8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050\r\nSize 172208 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 63d155f889e09272d85cfd9dfc266131\r\nSHA1 3f6ef29b86bf1687013ae7638f66502bcf883bfd\r\nSHA256 8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050\r\nSHA512 1f5464c9cb2786174d953666a287d5a681abe627e9caddf45986cd73290e6d73db9ddf2ccd589a0c09e4fe10cdf42b1d8d31dbfc575950586\r\nssdeep 768:XKXHstI+TCTWBGtl7CTnEUbrNXzuXrSXjkD4opaY16iWr:X7TCN/CTrbrNjGsjMdvW\r\nEntropy 1.637592\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-10-30 22:21:47-04:00\r\nImport Hash 7e564082b35201e421694b4ecea4ed0a\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n71170f767f99b3b8e8fb41eb4ca505b9 header 1024 2.465212\r\n99d34a0fcb234b3aed2a92fc7101b9f5 .text 20480 6.210180\r\n46abe134e48b8af335f468d25c91a1fe .rdata 9728 4.554618\r\nc545b6874d37d733e970a7e884ddc2c7 .data 4096 2.099924\r\n0d6201e58760b130181228a80ca4a775 .pdata 1536 3.828383\r\na09ee0743bee58fbe63a9a50c1d3f79b .rsrc 512 5.105029\r\n1360c7212899568e17f02f8e61db1c60 .reloc 512 4.003257\r\nRelationships\r\n8b53b51962... Contained_Within d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\r\nDescription\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 27 of 35\n\nThis application is a 64-bit DLL unpacked and executed by\r\n\"d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\". This file is designed to unmap the DLL\r\n\"C:\\ProgramData\\iconcache.db\" loaded in the process.\r\ncuriofirenze.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nhxxps[:]//www[.]curiofirenze.com/include/inc-site.asp\r\nPorts\r\n443 TCP\r\nHTTP Sessions\r\nhttps://www.curiofirenze.com/include/inc-site.asp\r\nid=bHRhcGpjaGR05HIC99liJ/0pLNaM14H22x8ktA==\u0026PageNumber=hitSpw==\u0026bname=4CInpdMuf615aK3cidCq+w==\u0026tb=\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d Mozilla/5 0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/71.0.3578.98 Safari/537.36\r\nWhois\r\nDomain Name: curiofirenze.com\r\nRegistry Domain ID: 1874895918_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.joker.com\r\nRegistrar URL: https://joker.com\r\nUpdated Date: 2019-11-25T10:15:37Z\r\nCreation Date: 2014-09-09T12:05:53Z\r\nRegistrar Registration Expiration Date: 2020-09-09T12:05:53Z\r\nRegistrar: CSL Computer Service Langenbach GmbH d/b/a joker.com\r\nRegistrar IANA ID: 113\r\nRegistrar Abuse Contact Email: abuse@joker.com\r\nRegistrar Abuse Contact Phone: +49.21186767447\r\nReseller: CWNET s.r.l.\r\nReseller: Internet Service Provider\r\nReseller: http://www.cheapnet.it\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nRegistrant Organization: Curio s.r.l.\r\nRegistrant State/Province: FI\r\nRegistrant Country: IT\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 28 of 35\n\nName Server: lady.ns.cloudflare.com\r\nName Server: phil.ns.cloudflare.com\r\nDNSSEC: unsigned\r\nURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/\r\n\u003e\u003e\u003e Last update of WHOIS database: 2020-06-30T20:18:19Z \u003c\u003c\u003c\r\nRelationships\r\ncuriofirenze.com Connected_From b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\r\ncuriofirenze.com Connected_From d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\r\ncuriofirenze.com Resolved_To 192.99.20.39\r\ncuriofirenze.com Connected_From bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1\r\ncuriofirenze.com Connected_To 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\r\nDescription\r\nBoth the 32-bit and 64-bit \"iconcache.db\" connect to the domain via HTTPS POST requests on port 443 with encoded data.\r\n192.99.20.39\r\nWhois\r\nQueried whois.arin.net with \"n 192.99.20.39\"...\r\nNetRange:     192.99.0.0 - 192.99.255.255\r\nCIDR:         192.99.0.0/16\r\nNetName:        OVH-ARIN-7\r\nNetHandle:     NET-192-99-0-0-1\r\nParent:         NET192 (NET-192-0-0-0-0)\r\nNetType:        Direct Allocation\r\nOriginAS:     AS16276\r\nOrganization: OVH Hosting, Inc. (HO-2)\r\nRegDate:        2013-06-17\r\nUpdated:        2013-06-17\r\nComment:        www.ovh.com\r\nRef:            https://rdap.arin.net/registry/ip/192.99.0.0\r\nOrgName:        OVH Hosting, Inc.\r\nOrgId:         HO-2\r\nAddress:        800-1801 McGill College\r\nCity:         Montreal\r\nStateProv:     QC\r\nPostalCode:     H3A 2N4\r\nCountry:        CA\r\nRegDate:        2011-06-22\r\nUpdated:        2017-01-28\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 29 of 35\n\nRef:            https://rdap.arin.net/registry/entity/HO-2\r\nOrgAbuseHandle: ABUSE3956-ARIN\r\nOrgAbuseName: Abuse\r\nOrgAbusePhone: +1-855-684-5463\r\nOrgAbuseEmail: abuse@ovh.ca\r\nOrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE3956-ARIN\r\nOrgTechHandle: NOC11876-ARIN\r\nOrgTechName: NOC\r\nOrgTechPhone: +1-855-684-5463\r\nOrgTechEmail: noc@ovh.net\r\nOrgTechRef:    https://rdap.arin.net/registry/entity/NOC11876-ARIN\r\nRelationships\r\n192.99.20.39 Resolved_To curiofirenze.com\r\nDescription\r\nDomain \"curiofirenze.com\" resolved to this IP address during analysis.\r\nautomercado.co.cr\r\nTags\r\ncommand-and-control\r\nURLs\r\nhxxps[:]//www[.]automercado.co.cr/empleo/css/main.jsp\r\nPorts\r\n443 TCP\r\nHTTP Sessions\r\nhxxps[:]//www[.]automercado.co.cr/empleo/css/main.jsp\r\nid=ZHJnd296a3RneKp2cza8ztn5YZTuEO4IhpdkXb0=\u0026bbs_id=Kfk8Gw==\u0026bname=TvlHGxvhwYmiNri5Grdduw==\u0026idx_num=\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d Mozilla/5 0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/71.0.3578.98 Safari/537.36\r\nWhois\r\ndomain:     automercado.co.cr\r\nregistrant: CON-292\r\nadmin-c:     CON-292\r\nnsset:        AUTOMERCADO_CO_CR\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 30 of 35\n\nregistrar:    NIC-REG1\r\nregistered: 03.03.1996 06:00:00\r\nchanged:     24.02.2020 08:19:22\r\nexpire:     02.03.2021\r\ncontact:     CON-292\r\naddress:     San José\r\naddress:     1500-1000\r\naddress:     San Josí©\r\naddress:     CR\r\nregistrar:    NIC-REG1\r\ncreated:     03.06.2011 22:38:21\r\nnsset:        AUTOMERCADO_CO_CR\r\nnserver:     ns3.x-peditenetworks.com\r\nnserver:     ns1.x-peditenetworks.com\r\nnserver:     ns2.x-peditenetworks.com\r\ntech-c:     ASANCHEZ_AT_AUTOMERCADO.CR\r\nregistrar:    NIC-REG1\r\ncreated:     03.06.2011 12:27:09\r\nchanged:     25.09.2012 10:01:46\r\naddress:     50 m sur del parque morazan\r\naddress:     San Jose\r\naddress:     1500-1000\r\naddress:     San José\r\naddress:     CR\r\nregistrar:    NIC-REG1\r\ncreated:     25.09.2012 09:59:04\r\nRelationships\r\nautomercado.co.cr Resolved_To 54.241.91.49\r\nautomercado.co.cr Connected_From b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\r\nautomercado.co.cr Connected_From d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\r\nautomercado.co.cr Connected_From bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1\r\nautomercado.co.cr Connected_To 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\r\nDescription\r\nBoth the 32-bit and 64-bit \"iconcache.db\" connect to the domain via HTTPS POST requests on port 443 with encoded data.\r\n54.241.91.49\r\nWhois\r\nQueried whois.arin.net with \"n 54.241.91.49\"...\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 31 of 35\n\nNetRange:     54.240.0.0 - 54.255.255.255\r\nCIDR:         54.240.0.0/12\r\nNetName:        AMAZON-2011L\r\nNetHandle:     NET-54-240-0-0-1\r\nParent:         NET54 (NET-54-0-0-0-0)\r\nNetType:        Direct Allocation\r\nOriginAS:     AS16509\r\nOrganization: Amazon Technologies Inc. (AT-88-Z)\r\nRegDate:        2011-12-09\r\nUpdated:        2012-04-02\r\nRef:            https://rdap.arin.net/registry/ip/54.240.0.0\r\nOrgName:        Amazon Technologies Inc.\r\nOrgId:         AT-88-Z\r\nAddress:        410 Terry Ave N.\r\nCity:         Seattle\r\nStateProv:     WA\r\nPostalCode:     98109\r\nCountry:        US\r\nRegDate:        2011-12-08\r\nUpdated:        2020-03-31\r\nComment:        All abuse reports MUST include:\r\nComment:        * src IP\r\nComment:        * dest IP (your IP)\r\nComment:        * dest port\r\nComment:        * Accurate date/timestamp and timezone of activity\r\nComment:        * Intensity/frequency (short log extracts)\r\nComment:        * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the\r\nIP address at that point in time.\r\nRef:            https://rdap.arin.net/registry/entity/AT-88-Z\r\nOrgAbuseHandle: AEA8-ARIN\r\nOrgAbuseName: Amazon EC2 Abuse\r\nOrgAbusePhone: +1-206-266-4064\r\nOrgAbuseEmail: abuse@amazonaws.com\r\nOrgAbuseRef:    https://rdap.arin.net/registry/entity/AEA8-ARIN\r\nOrgNOCHandle: AANO1-ARIN\r\nOrgNOCName: Amazon AWS Network Operations\r\nOrgNOCPhone: +1-206-266-4064\r\nOrgNOCEmail: amzn-noc-contact@amazon.com\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 32 of 35\n\nOrgNOCRef:    https://rdap.arin.net/registry/entity/AANO1-ARIN\r\nOrgTechHandle: ANO24-ARIN\r\nOrgTechName: Amazon EC2 Network Operations\r\nOrgTechPhone: +1-206-266-4064\r\nOrgTechEmail: amzn-noc-contact@amazon.com\r\nOrgTechRef:    https://rdap.arin.net/registry/entity/ANO24-ARIN\r\nOrgRoutingHandle: ADR29-ARIN\r\nOrgRoutingName: AWS Dogfish Routing\r\nOrgRoutingPhone: +1-206-266-4064\r\nOrgRoutingEmail: aws-dogfish-routing-poc@amazon.com\r\nOrgRoutingRef:    https://rdap.arin.net/registry/entity/ADR29-ARIN\r\nOrgRoutingHandle: IPROU3-ARIN\r\nOrgRoutingName: IP Routing\r\nOrgRoutingPhone: +1-206-266-4064\r\nOrgRoutingEmail: aws-routing-poc@amazon.com\r\nOrgRoutingRef:    https://rdap.arin.net/registry/entity/IPROU3-ARIN\r\nRelationships\r\n54.241.91.49 Resolved_To automercado.co.cr\r\nDescription\r\nDomain \"automercado.co.cr\" resolved to this IP during analysis.\r\nRelationship Summary\r\n586d012540... Connected_To agarwalpropertyconsultants.com\r\nagarwalpropertyconsultants.com Connected_From 586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e\r\nagarwalpropertyconsultants.com Resolved_To 199.79.63.24\r\n199.79.63.24 Resolved_To agarwalpropertyconsultants.com\r\n158ddb8561... Connected_To anca-aste.it\r\n7933716892... Connected_To anca-aste.it\r\n6a3446b8a4... Connected_To anca-aste.it\r\nanca-aste.it Resolved_To 51.68.152.96\r\nanca-aste.it Connected_From 6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1\r\nanca-aste.it Connected_From 158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17\r\nanca-aste.it Connected_From 7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971\r\n51.68.152.96 Resolved_To anca-aste.it\r\nd40ad4cd39... Dropped b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\r\nb70e66d387... Connected_To curiofirenze.com\r\nb70e66d387... Connected_To automercado.co.cr\r\nb70e66d387... Dropped_By d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 33 of 35\n\nb70e66d387... Contains bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1\r\nb70e66d387... Contains 7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd\r\nbdfd16dc53... Contained_Within b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\r\nbdfd16dc53... Connected_To curiofirenze.com\r\nbdfd16dc53... Connected_To automercado.co.cr\r\n7d507281e2... Contained_Within b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\r\n0fc12e03ee... Dropped d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\r\nd5186efd85... Connected_To curiofirenze.com\r\nd5186efd85... Connected_To automercado.co.cr\r\nd5186efd85... Dropped_By 0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6\r\nd5186efd85... Contains 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\r\nd5186efd85... Contains 8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050\r\n58027c80c6... Contained_Within d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\r\n58027c80c6... Connected_From curiofirenze.com\r\n58027c80c6... Connected_From automercado.co.cr\r\n8b53b51962... Contained_Within d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\r\ncuriofirenze.com Connected_From b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\r\ncuriofirenze.com Connected_From d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\r\ncuriofirenze.com Resolved_To 192.99.20.39\r\ncuriofirenze.com Connected_From bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1\r\ncuriofirenze.com Connected_To 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\r\n192.99.20.39 Resolved_To curiofirenze.com\r\nautomercado.co.cr Resolved_To 54.241.91.49\r\nautomercado.co.cr Connected_From b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9\r\nautomercado.co.cr Connected_From d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5\r\nautomercado.co.cr Connected_From bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1\r\nautomercado.co.cr Connected_To 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\r\n54.241.91.49 Resolved_To automercado.co.cr\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 34 of 35\n\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-888-282-0870 or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a\r\nPage 35 of 35", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" ], "report_names": [ "ar20-232a" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434802, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f41be63e80159e6c6b8ef04f8a68ca000abb9ff9.pdf", "text": "https://archive.orkl.eu/f41be63e80159e6c6b8ef04f8a68ca000abb9ff9.txt", "img": "https://archive.orkl.eu/f41be63e80159e6c6b8ef04f8a68ca000abb9ff9.jpg" } }