North Korean Remote Access Trojan: BLINDINGCAN
Contents
|
|
Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
Summary
Description
This Malware Analysis Report (MAR) is the result of analytic efforts between Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Remote Access Trojan (RAT) malware variants used by the North Korean government. This malware variant has been identified …
|
Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
Summary
Description
This Malware Analysis Report (MAR) is the result of analytic efforts between Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Remote Access Trojan (RAT) malware variants used by the North Korean government. This malware variant has been identified …
IoC
0111578f53189915a7f39f755087a283b60196283393d7979bc7a65f462c8af646579a57b0d4693bffdca0ceb92e2bad26720c4418b1cbb21ee2b216e7f763a5
02678efe715ff2658c6a4c2b596046b744a8b222
0452202027da519acb3a7d074696de07
054b8c4345e97aa4719415971cb5df83f208a2c11302baba66392251a5d7d8251e564443fd4716d82cacf2a5da94250cc8defd9300e0885034c471a07cdc5510
0685a556cdaa359c306b3c7830fc6f1e
0FC12E03EE93D19003B2DD7117A66A3DA03BD6177AC6EB396ED52A40BE913DB6
0a93a2ad9833deb5581854bc11c7fcb7
0d6201e58760b130181228a80ca4a775
0ecc687d741c7b009c648ef0de0a5d47213f37ff
0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6
1360c7212899568e17f02f8e61db1c60
158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17
18cfd7e01da5d30a27a885164d5a7b9b
192.99.0.0
192.99.20.39
192.99.255.255
199.79.62.0
199.79.63.24
199.79.63.255
1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954
1f5464c9cb2786174d953666a287d5a681abe627e9caddf45986cd73290e6d73db9ddf2ccd589a0c09e4fe10cdf42b1d8d31dbfc5759505866f516769fea1727
20ee5fdc9589067a7a312d6f660f0c8f33048f511975298ca6a9bfed145fe8fd
21c81d1a5ad5583610f1bcb7827fec54
2564f80bde6880569bc81d572ffd85c6
2cc742e33c53aeb638e9798422f8adaa
300ac7ec543fda0fab22c110a7d26281
3a6b48871abbf2a1ce4c89b08bc0b7d8
3c4d32746197a23e043dec30c3f17502
3f6ef29b86bf1687013ae7638f66502bcf883bfd
40c5103cd9681a2830667957f3e3d037fd25b6c9
46abe134e48b8af335f468d25c91a1fe
4be9aecc0fc76c037420ece97645c6a32294a230
4de4bb5980c9ffde6d9809bca8589667
4eb9a889d49c201486c6a9844c0a3861
4f06d9f35e1f31817d4205f0cda45316
51.68.0.0
51.68.152.0
51.68.152.96
51.68.155.255
513e6f9be441b608d02560144adad488
51741feb8529e34f47173f59abe8b19b
5275449d25a64e7415c1c1e727a0af76b08c2811
531f04a4abeb58f9e10fffc6afe98250
54.241.91.49
56470e113479eacda081c2eeead153bf
5665fa000b3cd52ceae755d35ca698e50cfb9c952cfdc70610b3a262e87be210
58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d
586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e
58c4168b836758e380e64f12eca00760
6066ee1e6c73fe6133738f26cf898280
61de5945f98a8652eaf4ae5b93b41128
61e11f8acaaf9d065546a237ced1e964
63d155f889e09272d85cfd9dfc266131
65793cf7eaeca085293db7251eb4469a
6724ed963fa7ffd1cb3b76a72890b385bcd080a66428f18531f1432a973896d98e9405bd02952ae81b4a6d6294a73cde5911e9998e4f9dae53a2a385ab78e036
6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1
6c2d15114ebdd910a336b6b147512a74
6cea7290883f0527dbd3e2df64462684
6d84696445a9339709edc25dfaa36766bcbc1a63aa41386280307a6314c9838a1fb347785becb91346ac9ed8fffe3804e01910e69945c6f41c15a06591213643
6dead31f52ae9c89182635c7bc5363ff
6f329c32f228d9a4d856afd4794c7f2b
70b01a5a98c1febe2bde96c9270957c3
71170f767f99b3b8e8fb41eb4ca505b9
75588d29242e426f361ddcf8c53954f5
771f7e5f68a48e38361f7b1b3c8cc5181a456582515d9b694f98cacd7c33e06dfb994d082c3d009b432fb9f9ecd1f3b194e92b998c203e4e4fa7b93bf6711820
77fd1d56a0f0cf143286fb78519b69eb8ef30f383c117d353ab16d0be5f2bfdbdb847d717dbc8b70b5d806a46fa4a1dc29a8304b8349bc1097075f50557c5da8
78a65874b49922217fd0423cc6293a23f70cb804022283ed3187b71178663ca3
7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971
7955fa7ab32773d17e0e94efeea69cf4
7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd
7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799
7e564082b35201e421694b4ecea4ed0a
80eb6e1fc17919b7444d34b73621166f
88750685639a22c3e4bcb15f40390ff9
8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050
8d179113e963d81adbf8d39ceff456afac3dae16
920679e3a916eba5c0309f6381f49d76
95aab6ef454c364b63002df7949c33602964d0905b4a23511bd9462aa5037c71a933f8bf3a3d650be76926e92bcf39e362a047c2da3da727096d16c1187e0308
96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a
97d24ac0d773f6260ab512fa496099b3289210db
99d34a0fcb234b3aed2a92fc7101b9f5
9a33838895830247744985365b8b2948
9f1fe9ee707daa61e91ad94d618b066f
9feef1eed2a8a5cbfe1c6478f2740d8fe63305e2
D40AD4CD39350D718E189ADF45703EB3A3935A7CF8062C20C663BC14D28F78C9
a0605f0296280e16d350cf78eb70a0d3
a09ee0743bee58fbe63a9a50c1d3f79b
a1c37a2c9fedecabe570383d81bfb5d6
a2b361aa5b6f2d5912845d84ca96a368
aa773c54a764927c13db914169de9adde26210da8e223d54e206e9fa0b8720ded3d1fbfbbaf13d5cf40a46e1103f90889d6acb86b55515f01eec400a3de1e78d
[email protected]
ae1c3feb6a3beda4db0ce8c794af77e7
aedd1ea7e39bc6c20eb7c1a31ee31945
aefcd8e98a231bccbc9b2c6d578fc8f3
af2479dbb1f93be4fc4a092cbbd4df85
b1dd2c73b3c13a147828f7bb4389d241
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9
b87183316e04b075a0da8e286b297fdb
bbdf7f1c6cfdab4beb23ae1f5e5e8e3f
bcc0a6688b5a282802700382d72e11663015946a95c701df82fdab164b6ef6889e180617a284e604e931ffc046ec1fd20ac6e20357ec916bada7df4711800290
bddf350b1495019b036eb25682895735
bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1
bfbe6f46025a25810199ae50f7f7ed04
c139714dd00b81eb08ecaf32bdced254
c2c5751cdfdbe9fac44337d4cb6e74e4
c545b6874d37d733e970a7e884ddc2c7
c627db421adaaa320d3ac42396c89f8a
c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e
c7b7bc3bf34654bd45c303561f9359e1
d2e652e58f57bd6314d5ebf8f59687e9
d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9
d41d8cd98f00b204e9800998ecf8427e
d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5
d742ba8cf5b24affdf77bc6869da0dc5
da2a58c7e17c14ced8b67bc462ad7427
dcf95cd96203e794724fc14e454e63fba9afe82a
dddd82c21ee815a570689c8023f51267a2699346eadb8cf5cb6a2bfc4e0404ab8388608e934c03b8b69819bab1b5252ed8b29391f543a1c1e8aeb83360e5f4d2
e032dedb2f8e5a189a3a98897f1f7f92
e7718609577c6e34221b03de7e959a8c
e7aa0237fc3db67a96ebd877806a2c88
e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a
ee27480742e19dfbbedf334ca52aafa5
f13bc7e5f532956e1c5490d27d9b9eb0
f4aff0e36fb98d64ff207a983ca7ed10c11ad7b01953b545c655a3349016f9d6c5fbd3cc8d44851cb68c51f069da2469b1e3445cd60b6e1365375402ad671160
f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3
f9e6c35dbb62101498ec755152a8a67b
http://wdprs.internic.net/
http://www.cheapnet.it
http://www.cwnet.it
https://agarwalpropertyconsultants.com/assets/form/template/img/boeing_ia_cm.jpg
https://joker.com
https://www.anca-aste.it/uploads/form/boeing_iacm_logo.jpg
https://www.anca-aste.it/uploads/form/boeing_jd_t034519.jpg
https://www.anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg
https://www.automercado.co.cr/empleo/css/main.jsp
rule CISA_10135536_06 : trojan rat HIDDENCOBRA BLINDINGCAN
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10135536"
Date = "2018-05-04"
Actor = "HiddenCobra"
Category = "Trojan RAT"
Family = "BLINDINGCAN"
Description = "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT"
MD5_1 = "f9e6c35dbb62101498ec755152a8a67b"
SHA256_1 = "1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954"
MD5_2 = "d742ba8cf5b24affdf77bc6869da0dc5"
SHA256_2 = "7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799"
MD5_3 = "aefcd8e98a231bccbc9b2c6d578fc8f3"
SHA256_3 = "96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a"
MD5_4 = "3a6b48871abbf2a1ce4c89b08bc0b7d8"
SHA256_4 = "f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3"
strings:
$s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
$s1 = { 50 4D 53 2A 2E 74 6D 70 }
$s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
condition:
any of them
}
rule CISA_10295134_01 : rat trojan HIDDENCOBRA BLINDINGCAN
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10295134"
Date = "2020-07-28"
Last_Modified = "20200730_1030"
Actor = "HiddenCobra"
Category = "Trojan RAT"
Family = "BLINDINGCAN"
Description = "Detects 32 and 64bit HiddenCobra BlindingCan Trojan RAT"
MD5_1 = "e7718609577c6e34221b03de7e959a8c"
SHA256_1 = "bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1"
MD5_2 = "6c2d15114ebdd910a336b6b147512a74"
SHA256_2 = "58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d"
strings:
$s0 = { C7 44 24 20 0D 06 09 2A C7 44 24 24 86 48 86 F7 C7 44 24 28 0D 01 01 01 C7 44 24 2C 05 00 03 82 }
$s1 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
condition:
$s0 or $s1
}
02678efe715ff2658c6a4c2b596046b744a8b222
0452202027da519acb3a7d074696de07
054b8c4345e97aa4719415971cb5df83f208a2c11302baba66392251a5d7d8251e564443fd4716d82cacf2a5da94250cc8defd9300e0885034c471a07cdc5510
0685a556cdaa359c306b3c7830fc6f1e
0FC12E03EE93D19003B2DD7117A66A3DA03BD6177AC6EB396ED52A40BE913DB6
0a93a2ad9833deb5581854bc11c7fcb7
0d6201e58760b130181228a80ca4a775
0ecc687d741c7b009c648ef0de0a5d47213f37ff
0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6
1360c7212899568e17f02f8e61db1c60
158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17
18cfd7e01da5d30a27a885164d5a7b9b
192.99.0.0
192.99.20.39
192.99.255.255
199.79.62.0
199.79.63.24
199.79.63.255
1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954
1f5464c9cb2786174d953666a287d5a681abe627e9caddf45986cd73290e6d73db9ddf2ccd589a0c09e4fe10cdf42b1d8d31dbfc5759505866f516769fea1727
20ee5fdc9589067a7a312d6f660f0c8f33048f511975298ca6a9bfed145fe8fd
21c81d1a5ad5583610f1bcb7827fec54
2564f80bde6880569bc81d572ffd85c6
2cc742e33c53aeb638e9798422f8adaa
300ac7ec543fda0fab22c110a7d26281
3a6b48871abbf2a1ce4c89b08bc0b7d8
3c4d32746197a23e043dec30c3f17502
3f6ef29b86bf1687013ae7638f66502bcf883bfd
40c5103cd9681a2830667957f3e3d037fd25b6c9
46abe134e48b8af335f468d25c91a1fe
4be9aecc0fc76c037420ece97645c6a32294a230
4de4bb5980c9ffde6d9809bca8589667
4eb9a889d49c201486c6a9844c0a3861
4f06d9f35e1f31817d4205f0cda45316
51.68.0.0
51.68.152.0
51.68.152.96
51.68.155.255
513e6f9be441b608d02560144adad488
51741feb8529e34f47173f59abe8b19b
5275449d25a64e7415c1c1e727a0af76b08c2811
531f04a4abeb58f9e10fffc6afe98250
54.241.91.49
56470e113479eacda081c2eeead153bf
5665fa000b3cd52ceae755d35ca698e50cfb9c952cfdc70610b3a262e87be210
58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d
586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e
58c4168b836758e380e64f12eca00760
6066ee1e6c73fe6133738f26cf898280
61de5945f98a8652eaf4ae5b93b41128
61e11f8acaaf9d065546a237ced1e964
63d155f889e09272d85cfd9dfc266131
65793cf7eaeca085293db7251eb4469a
6724ed963fa7ffd1cb3b76a72890b385bcd080a66428f18531f1432a973896d98e9405bd02952ae81b4a6d6294a73cde5911e9998e4f9dae53a2a385ab78e036
6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1
6c2d15114ebdd910a336b6b147512a74
6cea7290883f0527dbd3e2df64462684
6d84696445a9339709edc25dfaa36766bcbc1a63aa41386280307a6314c9838a1fb347785becb91346ac9ed8fffe3804e01910e69945c6f41c15a06591213643
6dead31f52ae9c89182635c7bc5363ff
6f329c32f228d9a4d856afd4794c7f2b
70b01a5a98c1febe2bde96c9270957c3
71170f767f99b3b8e8fb41eb4ca505b9
75588d29242e426f361ddcf8c53954f5
771f7e5f68a48e38361f7b1b3c8cc5181a456582515d9b694f98cacd7c33e06dfb994d082c3d009b432fb9f9ecd1f3b194e92b998c203e4e4fa7b93bf6711820
77fd1d56a0f0cf143286fb78519b69eb8ef30f383c117d353ab16d0be5f2bfdbdb847d717dbc8b70b5d806a46fa4a1dc29a8304b8349bc1097075f50557c5da8
78a65874b49922217fd0423cc6293a23f70cb804022283ed3187b71178663ca3
7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971
7955fa7ab32773d17e0e94efeea69cf4
7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd
7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799
7e564082b35201e421694b4ecea4ed0a
80eb6e1fc17919b7444d34b73621166f
88750685639a22c3e4bcb15f40390ff9
8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050
8d179113e963d81adbf8d39ceff456afac3dae16
920679e3a916eba5c0309f6381f49d76
95aab6ef454c364b63002df7949c33602964d0905b4a23511bd9462aa5037c71a933f8bf3a3d650be76926e92bcf39e362a047c2da3da727096d16c1187e0308
96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a
97d24ac0d773f6260ab512fa496099b3289210db
99d34a0fcb234b3aed2a92fc7101b9f5
9a33838895830247744985365b8b2948
9f1fe9ee707daa61e91ad94d618b066f
9feef1eed2a8a5cbfe1c6478f2740d8fe63305e2
D40AD4CD39350D718E189ADF45703EB3A3935A7CF8062C20C663BC14D28F78C9
a0605f0296280e16d350cf78eb70a0d3
a09ee0743bee58fbe63a9a50c1d3f79b
a1c37a2c9fedecabe570383d81bfb5d6
a2b361aa5b6f2d5912845d84ca96a368
aa773c54a764927c13db914169de9adde26210da8e223d54e206e9fa0b8720ded3d1fbfbbaf13d5cf40a46e1103f90889d6acb86b55515f01eec400a3de1e78d
[email protected]
ae1c3feb6a3beda4db0ce8c794af77e7
aedd1ea7e39bc6c20eb7c1a31ee31945
aefcd8e98a231bccbc9b2c6d578fc8f3
af2479dbb1f93be4fc4a092cbbd4df85
b1dd2c73b3c13a147828f7bb4389d241
b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9
b87183316e04b075a0da8e286b297fdb
bbdf7f1c6cfdab4beb23ae1f5e5e8e3f
bcc0a6688b5a282802700382d72e11663015946a95c701df82fdab164b6ef6889e180617a284e604e931ffc046ec1fd20ac6e20357ec916bada7df4711800290
bddf350b1495019b036eb25682895735
bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1
bfbe6f46025a25810199ae50f7f7ed04
c139714dd00b81eb08ecaf32bdced254
c2c5751cdfdbe9fac44337d4cb6e74e4
c545b6874d37d733e970a7e884ddc2c7
c627db421adaaa320d3ac42396c89f8a
c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e
c7b7bc3bf34654bd45c303561f9359e1
d2e652e58f57bd6314d5ebf8f59687e9
d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9
d41d8cd98f00b204e9800998ecf8427e
d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5
d742ba8cf5b24affdf77bc6869da0dc5
da2a58c7e17c14ced8b67bc462ad7427
dcf95cd96203e794724fc14e454e63fba9afe82a
dddd82c21ee815a570689c8023f51267a2699346eadb8cf5cb6a2bfc4e0404ab8388608e934c03b8b69819bab1b5252ed8b29391f543a1c1e8aeb83360e5f4d2
e032dedb2f8e5a189a3a98897f1f7f92
e7718609577c6e34221b03de7e959a8c
e7aa0237fc3db67a96ebd877806a2c88
e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a
ee27480742e19dfbbedf334ca52aafa5
f13bc7e5f532956e1c5490d27d9b9eb0
f4aff0e36fb98d64ff207a983ca7ed10c11ad7b01953b545c655a3349016f9d6c5fbd3cc8d44851cb68c51f069da2469b1e3445cd60b6e1365375402ad671160
f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3
f9e6c35dbb62101498ec755152a8a67b
http://wdprs.internic.net/
http://www.cheapnet.it
http://www.cwnet.it
https://agarwalpropertyconsultants.com/assets/form/template/img/boeing_ia_cm.jpg
https://joker.com
https://www.anca-aste.it/uploads/form/boeing_iacm_logo.jpg
https://www.anca-aste.it/uploads/form/boeing_jd_t034519.jpg
https://www.anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg
https://www.automercado.co.cr/empleo/css/main.jsp
rule CISA_10135536_06 : trojan rat HIDDENCOBRA BLINDINGCAN
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10135536"
Date = "2018-05-04"
Actor = "HiddenCobra"
Category = "Trojan RAT"
Family = "BLINDINGCAN"
Description = "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT"
MD5_1 = "f9e6c35dbb62101498ec755152a8a67b"
SHA256_1 = "1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954"
MD5_2 = "d742ba8cf5b24affdf77bc6869da0dc5"
SHA256_2 = "7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799"
MD5_3 = "aefcd8e98a231bccbc9b2c6d578fc8f3"
SHA256_3 = "96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a"
MD5_4 = "3a6b48871abbf2a1ce4c89b08bc0b7d8"
SHA256_4 = "f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3"
strings:
$s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
$s1 = { 50 4D 53 2A 2E 74 6D 70 }
$s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
condition:
any of them
}
rule CISA_10295134_01 : rat trojan HIDDENCOBRA BLINDINGCAN
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10295134"
Date = "2020-07-28"
Last_Modified = "20200730_1030"
Actor = "HiddenCobra"
Category = "Trojan RAT"
Family = "BLINDINGCAN"
Description = "Detects 32 and 64bit HiddenCobra BlindingCan Trojan RAT"
MD5_1 = "e7718609577c6e34221b03de7e959a8c"
SHA256_1 = "bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1"
MD5_2 = "6c2d15114ebdd910a336b6b147512a74"
SHA256_2 = "58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d"
strings:
$s0 = { C7 44 24 20 0D 06 09 2A C7 44 24 24 86 48 86 F7 C7 44 24 28 0D 01 01 01 C7 44 24 2C 05 00 03 82 }
$s1 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
condition:
$s0 or $s1
}