Shares tags: T1059, T1012 • Same author: Strangereal Intel • Published within a month
Dangerous Password
2020-04-02 • Strangereal Intel •
The Dangerous Password analysis describes a malicious self-extracting RAR and LNK chain that launches mshta through a Bitly redirect to attacker-controlled infrastructure. The HTA displays a decoy password file while installing persistence through a startup LNK and VBScript stager, then adapts execution based on detected Chinese and Indian antivirus processes. Later stages contact cloudfiles.club, msupdatepms.xyz, and 88.204.166.59 over HTTP, decode Base64 and XOR-protected script content, and run remote commands in memory. The author notes overlap with North Korea-linked tradecraft, but the excerpt does not provide enough attribution evidence to treat the campaign as definitively DPRK-run.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 88.204.166.59 | 2020-04-02 | 2021-01-28 |
| HASH | 3249e2eb1eaa628dcf7c83062463bc6… | 2020-04-02 | 2020-04-02 |
| URL | http://www.msupdatepms.xyz:8080… | 2020-04-02 | 2020-04-02 |
| URL | http://www.cloudfiles.club:8080… | 2020-04-02 | 2020-04-02 |
Related Reports
Shares tags: T1012, T1064 • Same author: Strangereal Intel • Published within a month
2019-11-12 •
35% Match
#Lazarus
#T1082
#T1005
#T1112
#T1115
#T1124
#T1057
#T1059
#T1055
#T1049
#T1087
#T1016
#T1010
#T1012
#T1132
#T1060
#T1064
#T1085
#T1086
#T1022
#T1179
#T1089
Shares tags: T1059, T1012, T1064 • Same author: Strangereal Intel
Shares tag: T1012 • Same author: Strangereal Intel
2020-04-16 •
26% Match
#HOTCROISSANT
#Lazarus
#T1082
#T1140
#T1005
#T1113
#T1059
#T1033
#T1132
#T1094
#T1065
#T1024
Shares tag: T1059 • Published within a month
2020-06-17 •
23% Match
#Inception
#T1082
#T1140
#T1005
#T1036
#T1027
#T1071
#T1204
#T1053
#T1059
#T1078
#T1220
#T1114
#T1087
#T1018
#T1106
#T1048
#T1070
#T1047
#T1012
#T1110
#T1085
#T1116
#T1050
#T1086
#T1537
#T1117
#T1002
#T1035
#T1194
Shares tags: T1059, T1012