MAR-10160323.r1.v2
Malware Characterization
//node() | //@*
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
US-CERT
2020-05-08T11:16:11-04:00
BMachine
89
7.1.0
3f98c434d7b39de61a8b459180dd46a3
121344
Composite Document File V2 Document, Cannot read section info
MD5
3f98c434d7b39de61a8b459180dd46a3
SHA1
1584b3ce64835a3c7b796139fbd981a9f2cddb6c
SHA256
3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c
SHA512
27643afc00fda2dd8b447af1e6950d65fe5b4dd91a8eb022fef68694126efe41fd8895a6c065c261507bb526668c27f4bc055ac58c592d43cf760c32e365be2d
SSDEEP
1536:+dVr1FoOLJEd4EQA9mVOkxN7ORzh9n98scLzA4QfwnEOCnnvlQXRhuA+0qwvxH9n:u1FLNEfBj2NSRvZQnEDtShuA3H9yW
7.947501
Contains
aa525af1589156fc09f78e69b3b03428
117864
Macromedia Flash data, version 32
MD5
aa525af1589156fc09f78e69b3b03428
SHA1
6ff889358923ab2a0de80303be9ac559a555b9b9
SHA256
851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a
SHA512
3a82f830bcf547c94a3b0e56ffa27330328b392a4d1356f7e62a28c18d2eb110507968a3f66e51e985ffceb3640885e5402623cf9ab987ae7a005cff2b1edd57
SSDEEP
1536:4dVr1FoOLJEd4EQA9mVOkxN7ORzh9n98scLzA4QfwnEOCnnvlQXRhuA+0qwvxH9S:41FLNEfBj2NSRvZQnEDtShuA3H9yf
7.987027
Contained_Within
Connected_To
www.korea-tax.info
Related_To
Related_To
Related_To
Related_To
Related_To
Related_To
Connected_From
80
TCP
www.korea-tax.info/crossdomain.xml
www.korea-tax.info/main/local.php?id=8B4D963B41003E407AC0022E40FCE01C1DA94EB8DEEF20939722ABBFE7F52B9C7DEA62EFDB0D82345AE24D366F9C7BDC2C8F5C460AE8BE18E59C1116489EC9F2EB5504617A4D6D74982D602624E94F32BB3864277E4967BD15B1E36AF4A98431DC76C4BB&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207
Queried whois.afilias.info with "korea-tax.info"...
Domain Name: KOREA-TAX.INFO
Registry Domain ID: D503300000055962553-LRMS
Registrar WHOIS Server:
Registrar URL: http://www.PublicDomainRegistry.com
Updated Date: 2018-02-10T20:31:57Z
Creation Date: 2017-12-12T05:52:58Z
Registry Expiry Date: 2018-12-12T05:52:58Z
Registrar Registration Expiration Date:
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com
Registrar Abuse Contact Phone: +1.2013775952
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: C213778924-LRMS
Registrant Name: yang jieun
Registrant Organization: yang jieun
Registrant Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do
Registrant City: Kwangmyong
Registrant State/Province: Kyonggi-do
Registrant Postal Code: 14200
Registrant Country: KR
Registrant Phone: +82.1044612320
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: john.chapman91128@gmail.com
Registry Admin ID: C213778924-LRMS
Admin Name: yang jieun
Admin Organization: yang jieun
Admin Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do
Admin City: Kwangmyong
Admin State/Province: Kyonggi-do
Admin Postal Code: 14200
Admin Country: KR
Admin Phone: +82.1044612320
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: john.chapman91128@gmail.com
Registry Tech ID: C213778924-LRMS
Tech Name: yang jieun
Tech Organization: yang jieun
Tech Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do
Tech City: Kwangmyong
Tech State/Province: Kyonggi-do
Tech Postal Code: 14200
Tech Country: KR
Tech Phone: +82.1044612320
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: john.chapman91128@gmail.com
Registry Billing ID: C213778924-LRMS
Billing Name: yang jieun
Billing Organization: yang jieun
Billing Street: 25-11 Wongwangmyeongan-ro Gwangmyeong-si Gyeonggi-do
Billing City: Kwangmyong
Billing State/Province: Kyonggi-do
Billing Postal Code: 14200
Billing Country: KR
Billing Phone: +82.1044612320
Billing Phone Ext:
Billing Fax:
Billing Fax Ext:
Billing Email: john.chapman91128@gmail.com
Name Server: NS3.HOSTINGER.COM
Name Server: NS4.HOSTINGER.COM
Name Server: NS1.HOSTINGER.COM
Name Server: NS2.HOSTINGER.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
111d205422fe90848c2f41cc84ebd96a
117338
Macromedia Flash data, version 32
MD5
111d205422fe90848c2f41cc84ebd96a
SHA1
b03f6f336c07d514edb15d6e3fefd98432cae7e2
SHA256
fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0
SHA512
a8e7db77fd6f27ae8ca18be8ed644df3443d17b048fc6baf1b7496da2810b014e19a35e9502de252ad65cf4feb07ccba53aeb567ad62d897231c1a3b17d619b5
SSDEEP
3072:BebZ1dssmUo7VUthHkNEVVKJ6ydYBpb2N4r1Je:sbZfssAGoQymsgM
7.98361
Connected_To
www.1588-2040.co.kr
Related_To
Related_To
Related_To
Related_To
Related_To
Related_To
Connected_From
80
TCP
www.1588-2040.co.kr/crossdomain.xml
www.1588-2040.co.kr/design/m/images/image/image.php?id=2E4B4EE62772DB77094E0210546BEEBF2F669A2309009324807100E182FFDFEAB2CE91B00DFA993ACDE3A1198DC8BD9DAF98F449FB04FD8588D94693E08D3BC45F17C4ECDC040F138CC8916D2252478D3BE342D5FA1F6231EF6562053E5C1463FDCEEE82&fp_vs=WIN%2018.0,0,209&os_vs=Windows%207
Domain Name : 1588-2040.co.kr
Registrant : S.S. Moon
Registrant Address : 1303 manhatan b/d 36-2, Yeoeuido-dong Yeongdeungpo-gu Seoul Korea
Registrant Zip Code : 150749
Administrative Contact(AC) : S.S. Moon
AC E-Mail : card15882040@nate.com
AC Phone Number : 02-2090-3500
Registered Date : 2009. 07. 03.
Last Updated Date : 2015. 07. 03.
Expiration Date : 2018. 07. 03.
Publishes : Y
Authorized Agency : Asadal, Inc.(http://www.asadal.co.kr)
DNSSEC : unsigned
Primary Name Server
Host Name : ns.epart.com
Secondary Name Server
Host Name : ns1.epart.com
d2881e56e66aeaebef7efaa60a58ef9b
626688
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
d2881e56e66aeaebef7efaa60a58ef9b
SHA1
c09c1be69e5a206bcfe3d726773f0b0ddecb3622
SHA256
e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd
SHA512
da6e40bcebc6161386142caa6c1e68faf7f520cc48cbb514d8029d65f9bb0cac14bde435eb584a998be9e379cc875b85719cc0d4ee9d0fed73b5c20cf7da7fe8
SSDEEP
12288:cbeQy0+6dUlyAcdqfAkMvGpns9gKYLd+NjhzZkZf7:AfuJGv2ns9XRkZf
Microsoft Visual C++ ?.?
7.866467
Related_To
Contains
Figure 1
too long
invalid string position
string too long
Aapplication/json
path
https://api.dropboxapi.com/2/files/delete
https://content.dropboxapi.com/2/files/upload
application/octet-stream
{"path":"%s","mode":{".tag":"overwrite"}}
{"path":"%s"}
Dropbox-API-Arg
https://content.dropboxapi.com/2/files/download
Ahttps://api.pcloud.com/oauth2_token
https://my.pcloud.com/oauth2/authorize
https://api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1
--wwjaughalvncjwiajs--
Content-Type: voice/mp3
multipart/form-data;boundary=--wwjaughalvncjwiajs--
fileids
https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1
hosts
https://%s%s
https://api.pcloud.com/deletefile?path=%s
true
%s/%s
OAuth
PUT
href
https://cloud-api.yandex.net/v1/disk/resources?path=%s&permanently=%s
false
202
https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s
method
https://cloud-api.yandex.net/v1/disk/resources/download?path=%s
--End Strings of Interest--]]>
5c6c1ed910e7c9740a0289a6d278908a
520704
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
5c6c1ed910e7c9740a0289a6d278908a
SHA1
0e46e026890982da526d8acf9f1ce6287451c9a6
SHA256
e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573
SHA512
e2d3059e28998bfb5c0badf3d6d8df28e527037c33b489b7dcc2f392a1d91a568beef410a4feaabc4daee98112142e58394ed5e2a73c71ed0cb46943eb3383d1
SSDEEP
6144:Wh65XKGJs5Ve5psLyYuwAKdf9Q4p9FCAkko7cmxBZAk4+AJ6P3VNUo+wABK7Cl/5:SAKdf+4p9J2x0k4+AQ3VNH+rZx7Aq9
Microsoft Visual C++ ?.?
6.560851
Contained_Within
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
3f98c434d7b39de61a8b459180dd46a3
SHA1
1584b3ce64835a3c7b796139fbd981a9f2cddb6c
SHA256
3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c
NCCIC
2020-05-08T15:16:49+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
aa525af1589156fc09f78e69b3b03428
SHA1
6ff889358923ab2a0de80303be9ac559a555b9b9
SHA256
851b7b044cbcaa67350aff80a5b9fb4c63393957f3d4b30005a83348fe69ac5a
NCCIC
2020-05-08T15:16:49+00:00
Malicious Domain
Domain Watchlist
www.korea-tax.info
NCCIC
2020-05-08T15:16:49+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
111d205422fe90848c2f41cc84ebd96a
SHA1
b03f6f336c07d514edb15d6e3fefd98432cae7e2
SHA256
fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0
NCCIC
2020-05-08T15:16:50+00:00
Malicious Domain
Domain Watchlist
www.1588-2040.co.kr
NCCIC
2020-05-08T15:16:50+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
d2881e56e66aeaebef7efaa60a58ef9b
SHA1
c09c1be69e5a206bcfe3d726773f0b0ddecb3622
SHA256
e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd
NCCIC
2020-05-08T15:16:50+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
5c6c1ed910e7c9740a0289a6d278908a
SHA1
0e46e026890982da526d8acf9f1ce6287451c9a6
SHA256
e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573
NCCIC
2020-05-08T15:16:50+00:00
MAEC Characterization of 3f98c434d7b39de61a8b459180dd46a3
ClamAV
Swf.Trojan.Rokrat-6443186-0
McAfee
RDN/Generic Exploit.lv
NetGate
Exploit.Win32.Generic
Cyren
Siwifi
Symantec
Trojan.Gen.NPE.2
Antiy
Trojan[Exploit]/SWF.CVE-2018-4878
BitDefender
Exploit.Agent.MS
Microsoft Security Essentials
Exploit:SWF/Korpode.A
Sophos
Troj/SwfExp-OI
TrendMicro House Call
TROJ_EX.F2A7C559
TrendMicro
TROJ_EX.F2A7C559
Emsisoft
Exploit.Agent.MS (B)
Avira
EXP/CVE-2018-4878.A.Gen
Ahnlab
SWF/Agent
ESET
SWF/Exploit.CVE-2018-4878.A trojan
TACHYON
Trojan-Exploit/W97.Agent.Gen
Quick Heal
Exp.OLE.CVE-2018-4878.C
Ikarus
Trojan.SWF.Exploit
CVE-2018-4878
trojan
MAEC Characterization of aa525af1589156fc09f78e69b3b03428
ClamAV
Win.Trojan.Agent-6551186-0
McAfee
Exploit-CVE2018-4878.b
Cyren
SWF/CVE-2018-4878.B!Camelot
Symantec
Trojan.Gen.NPE.2
BitDefender
Exploit.Agent.MS
Microsoft Security Essentials
Exploit:SWF/Korpode.A!gen
Sophos
Troj/SwfExp-OK
Emsisoft
Exploit.Agent.MS (B)
Avira
EXP/CVE-2018-4878.A.Gen
Ahnlab
SWF/Cve-2018-4878.R.SS18
ESET
SWF/Exploit.CVE-2018-4878.A trojan
TACHYON
Trojan-Exploit/SWF.Agent.Gen
Quick Heal
Exp.SWF.CVE-2018-4878.D
Ikarus
Trojan.SWF.Exploit
command-and-control
MAEC Characterization of 111d205422fe90848c2f41cc84ebd96a
ClamAV
Swf.Trojan.Rokrat-6443186-0
McAfee
Exploit-CVE2018-4878.b
Cyren
SWF/CVE-2018-4878.B!Camelot
Symantec
Trojan.Gen.2
Antiy
Trojan[Exploit]/SWF.CVE-2018-4878
BitDefender
Script.SWF.C589
Microsoft Security Essentials
Exploit:SWF/Korpode.A!gen
Sophos
Troj/SWFExp-OL
TrendMicro House Call
SWF_EXP.3A46FD51
TrendMicro
SWF_EXP.3A46FD51
Emsisoft
Script.SWF.C589 (B)
Avira
EXP/CVE-2018-4878.A.Gen
Ahnlab
SWF/Cve-2018-4878.R.SS18
ESET
SWF/Exploit.CVE-2018-4878.A trojan
NANOAV
Exploit.Swf.CVE20184878.exmycd
TACHYON
Trojan-Exploit/SWF.Agent.Gen
Quick Heal
Exp.SWF.CVE-2018-4878.D
Ikarus
Trojan.SWF.Exploit
MAEC Characterization of d2881e56e66aeaebef7efaa60a58ef9b
ClamAV
Win.Trojan.Rokrat-6443187-0
McAfee
Trojan-FPCM!D2881E56E66A
NetGate
Trojan.Win32.Malware
K7
Trojan ( 00525b861 )
Systweak
trojan.korpode
Cyren
W32/Trojan.IKOU-3732
Symantec
Backdoor.Rokrat
Antiy
Trojan/Win32.RockRat
BitDefender
Trojan.GenericKD.41796224
Microsoft Security Essentials
Trojan:Win32/Korpode.A!dha
Sophos
Mal/FakeAV-ST
TrendMicro House Call
Backdoo.3FA9A8A6
TrendMicro
Backdoo.3FA9A8A6
Emsisoft
Trojan.GenericKD.41796224 (B)
Avira
TR/Dropper.Gen
VirusBlokAda
Malware-Cryptor.Inject.gen
Ahnlab
Trojan/Win32.Loader
ESET
Win32/Spy.Agent.PHF trojan
NANOAV
Trojan.Win32.RockRat.exmijf
Filseclab
Trojan.RockRat.gen.qzrl
Vir.IT eXplorer
Trojan.Win32.Spy.AST
Quick Heal
Trojan.RockRat.S1875120
Ikarus
Trojan.Win32.Krypt
backdoor
dropper
MAEC Characterization of 5c6c1ed910e7c9740a0289a6d278908a
ClamAV
Win.Trojan.Rokrat-6380697-0
NetGate
Trojan.Win32.Malware
K7
Spyware ( 0051fbf81 )
Systweak
malware.gen-rg
Symantec
Trojan.Gen.2
Antiy
Trojan[Spy]/Win32.Agent
BitDefender
Gen:Variant.Graftor.538484
Microsoft Security Essentials
Trojan:Win32/Korpode.A!dha
Sophos
Troj/Spy-AQO
TrendMicro House Call
TSPY_KO.89D03B8E
TrendMicro
TSPY_KO.89D03B8E
Emsisoft
Gen:Variant.Graftor.538484 (B)
Avira
HEUR/AGEN.1133065
VirusBlokAda
TrojanSpy.Agent
Ahnlab
Trojan/Win32.Hwdoor
ESET
a variant of Win32/Spy.Agent.PHF trojan
NANOAV
Trojan.Win32.Generic.evuabe
TACHYON
Trojan-Spy/W32.Agent.520704.E
Vir.IT eXplorer
Trojan.Win32.Spy.BUB
Ikarus
Trojan-Spy.Agent
spyware
10160323.r1.v2
Malicious Code
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected