Shares tag: hwdoor
Hunted! ole & hwp !
2018-10-01 • kino •
A suspicious HWP/OLE file contained shellcode that decoded an embedded payload and downloaded additional malware from a server at 211.218.126.236. The downloaded component was identified as a hwdoor downloader that saved svrc.exe under a temporary path and retrieved both alibaba.exe and another HWP-themed file. The excerpt says alibaba.exe was UPX-packed malware that created mutexes and communicated with the C2 path youngs.dgweb.kr/skin15/include/bin/forlab.php to perform malicious activity. The record provides concrete URLs and file hashes for defenders to triage, but it does not state a threat actor or DPRK attribution.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | d057088d0de3d920ea0939217c75627… | 2018-10-01 | 2020-11-16 |
| HASH | b47fb0011f61ec4bdda75034e93f7e9… | 2018-10-01 | 2018-10-01 |
| HASH | 002132d1aacd5f8dcd28fac86bd25c2… | 2018-10-01 | 2018-10-01 |
| HASH | 26b8951c0979286d2994c115b06d7a2… | 2018-10-01 | 2018-10-01 |
| HASH | 6cbbc2b7cc6d72422b18ab7b81e2ef7… | 2018-10-01 | 2018-10-01 |
| HASH | 74bf82f2faa1fce36a8f3509b20ff30… | 2018-10-01 | 2018-10-01 |
| HASH | 43630a9bc54ff36e1de8ace53c23306… | 2018-10-01 | 2018-10-01 |
| HASH | d3b74f326df051be9d50b33a934aabb9 | 2018-10-01 | 2018-10-01 |
| HASH | d37124b137c2087d7a908fd136a4866e | 2018-10-01 | 2018-10-01 |
| HASH | 6900bbd0b505126c4461ae21bb4cf85d | 2018-10-01 | 2018-10-01 |
| HASH | c0b45c9e3d484763f664e5a41c835017 | 2018-10-01 | 2018-10-01 |
| HASH | f4cd9c9ae3c1da1a3ad02e042524903… | 2018-10-01 | 2018-10-01 |
| DOMAIN | youngs.dgweb.kr | 2018-10-01 | 2018-10-01 |
| IPv4 | 211.218.126.236 | 2018-10-01 | 2018-10-01 |
Related Reports
Shares tag: hwdoor
Shares 1 IOC