lazarusholic

Everyday is lazarus.dayβ

North Korean Trojan: BANKSHOT

2017-12-21, USCISA
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF
e5c0ca00ddcb691ad2d08f89e5e274661f6b3f0c.pdf, 161.2 KB
#HiddenCobra #Bankshot #YARA

Contents

1 of 12TLP:WHITE
Malware Analysis Report (MAR) - 10135536-B
2017-12-13
Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties
of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this
bulletin or otherwise.
This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no
foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules,
TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov
/tlp/.
Summary
Description
This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal
Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North
Korean government - referred to by the U.S. Government as …

IoC

0137F688436C468D43B3E50878EC1A1F
0137f688436c468d43b3e50878ec1a1f
03e0ab7f93b56899460fda790387d7c1
0e0f176e5767c4f278df968c7364e815
114D8DB4843748D79861B49343C8B7CA
114d8db4843748d79861b49343c8b7ca
15e68b7d71ae9401600fbf50c1f37e66
1ce8e90ffa2199ff32be8b977e9a441b
1cfe81260eb717a1b917d7b3d1349851
2950E3741D7AF69E0CA0C5013ABC4209
2950e3741d7af69e0ca0c5013abc4209
2de998d058c83ca559bc6a4b4b4d40b6
324652d914c29aa7a7081d418add47dc
350778fc552918dddf84ea3a4c956e9996afe0d5
3dfc4d44b2b523659f00d8945225bc60
4aef9d49dc3fe0af76cecb93904875c0
4dfa17c0b8e612b8d4db9cea10b5a3d7
51e2667d68017283e27efb2950932c58
5271c65208ed70fad30077524f371ed8
566243e09a3d19828c243c799f638ae34469d967
5b8468fde2fdd44adf4eba4d955fa265
620f0b67a91f7f74151bc5be745b7110
62a4ecd0721de04fc52f5fcef933ee44
65122e5129fc74d6b5ebafcc3376abae0145bc14
6c330d24bbac0cdc751eb2033a2ab6c7
6e90fb74568b471c2699f72b7cae68dc
720f2fd596b0523ad6da7864337a3e3a
771f7d69a476d5b0b7c942bdc21e86691dabba89
941009d7534325e92b5a0183b05aec00
964B291AD9BAFA471DA3F80FB262DBE7
964b291ad9bafa471da3f80fb262dbe7
9E4D9EDB07C348B10863D89B6BB08141
9e4d9edb07c348b10863d89b6bb08141
C74E289AD927E81D2A1A56BC73E394AB
FC9E40100D8DFAE2DF0F30A3414F50EC
a5166df020ef131fd115707cf8e284ce
a679879146f59c7ba1b29ff42851a5ed
aa336c62ce0214b5ffe1d41d93d6e99b
ab32b3c672765e57e0892dc1f046728a
af9db3ed2605572e9897d71086308873045be47b
b94f8f257f9ebfb122acf253691a713e
bbf1ff28e84766ad27683cc9078d16f0493cdbab
bc433c07b82c684a09d26e014c0cefdb
c3349c549162ffa3b8148d564efdfd0e
c74e289ad927e81d2a1a56bc73e394ab
caef1f2015675da6b139275b4c7c86d3
ceb5df2b67157dbc6b6aac93c8524f3d
cfc3f97af184f52c091a175eda4587b8
d25e32c2f4c243f8b0fb537b73c6f07c
d2cf27a072c85308a12b834aa3150af0
e385ce08c1c7b68edfc2150f3682b256
f0a1309490c5ee84dedc04b035c45cd0
f4088bca25fd9ee78119458bfb300721266ecbcb
f4c5b7ebe0ffb8c5d5632877552f2e23
f5391c0baa8c69ab8fc159089099c8c4
f77d3025527d202bbe572f5791d038d3
f82e3e0c1cadda61be2ed2885911bd3d
fc14f0c7ff263b01c27ac84ff16072e6
fc9e40100d8dfae2df0f30a3414f50ec
rule Unauthorized_Proxy_Server_RAT
{
meta:
Author="US-CERT Code Analysis Team"

Incident="10135536"
MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB"
MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209"

Info="Detects Proxy Server RAT"

super_rule = 1

strings:
$s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3}
$s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3}
$s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3}
$s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3}
$s4 = {B91A7900008A140780F29A8810404975F4}
$s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9FD19CA59F7E9F539CEF9F029F969C6C9E5C9D949FC99F}
$s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3}
TLP:WHITE
US-CERT MAR-10135536-B



2 of 12TLP:WHITE
$s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC}
$s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24}
$s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523}
$s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0}
$s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7}
$s12 = {448BE8B84FECC44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541}
$s13 = {8A0A80F9627C2380F9797F1E80F9647C0A80F96D7F0580C10BEB0D80F96F7C0A80F9787F05}
condition:
any of them
}