Shares tag: YamaBot • Shares 6 IOCs • Published within a month
APT攻击组织Lazarus使用的恶意软件:YamaBot
2022-07-12 • Secrss • Malware used by the Lazarus APT group: YamaBot •
The translated JPCERT/CC analysis links YamaBot to Lazarus activity and describes the malware as a Go-based tool targeting both Windows and Linux environments. YamaBot communicates with C2 servers through HTTP requests, using a Base64-encoded User-Agent and RC4-encrypted, Base64-encoded terminal information or command results in cookie fields. The Linux version is described as supporting shell command execution through /bin/sh, while the Windows version implements multiple commands including download, information reporting, and shell execution. The excerpt identifies C2 locations such as www.karin-store.com/recaptcha.php, yoshinorihirano.net/wp-includes/feed-xml.php, and 213.180.180.154/editor/session/aaa000/support.php, making the report useful for host and server-side incident review.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | f226086b5959eb96bd30dec0ffcbf0f… | 2022-06-30 | 2024-07-25 |
| HASH | 6db57bbc2d07343dd6ceba0f53c7375… | 2022-06-30 | 2024-07-25 |
| IPv4 | 213.180.180.154 | 2022-06-30 | 2022-09-08 |
| URL | http://yoshinorihirano.net/wp-i… | 2022-06-30 | 2022-07-12 |
| URL | http://www.karin-store.com/reca… | 2022-06-30 | 2022-07-12 |
| DOMAIN | yoshinorihirano.net | 2022-06-30 | 2022-07-12 |
Related Reports
2022-09-08 •
56% Match
#VSingle
#MagicRAT
#YamaBot
#T1082
#T1090
#T1140
#T1560
#T1083
#T1053
#T1003
#T1219
#T1543
#T1190
#T1590
#T1087
#T1547
#T1562
#T1608
#T1070
#T1033
#T1518
#T1021
#T1136
Shares tag: YamaBot • Shares 1 IOC
2024-07-25 •
13% Match
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
USCISA
Shares 2 IOCs
2023-02-09 •
6% Match
#Ransomware
#Maui
#H0lyGh0st
#T1083
#T1583.003
#T1195
#T1486
#T1133
#T1190
#T1583
#T1021
Shares 1 IOC