Kimsuky의 TrollAgent를 탐지하는 YARA rule 작성가이드
2024-03-25 • Logpresso • Cyber threat report on Kimsuky, YARA, TrollAgent •
https://drive.google.com/file/d/1NfkJxhQFbX_Qivr25iRkMiEPtxdG215I/view
Attachments
Kimsuky TrollAgent analysis focuses on malware traits that can be converted into YARA detections, including mutex creation and rundll32-based DLL loading. The source says the observed mutex value matches values used by earlier Kimsuky malware, strengthening actor-level linkage. The malware masquerades as security-program installers such as TrustPKI or NX PRNMAN while a Go-based DLL runs in the background. That DLL collects system data, selected files, SSH and FileZilla artifacts, browser data, screenshots, and GPKI directory contents before sending them to C2 infrastructure.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 9e75705b4930f50502bcbd740fc3ece1 | 2024-02-16 | 2024-07-15 |
| HASH | a67cf9add2905c11f5c466bc01d554b0 | 2024-02-16 | 2024-07-15 |
| DOMAIN | sa.netup.p-e.kr | 2024-02-16 | 2024-07-15 |
| DOMAIN | dl.netup.p-e.kr | 2024-02-16 | 2024-07-15 |
| HASH | 2e0ffaab995f22b7684052e53b8c64b… | 2024-02-07 | 2024-07-15 |
| HASH | 7457dc037c4a5f3713d9243a0dfb1a2c | 2024-01-30 | 2024-07-15 |
| HASH | 88f183304b99c897aacfa321d58e1840 | 2024-01-30 | 2024-07-15 |
| HASH | 27ef6917fe32685fdf9b755eb8e97565 | 2024-01-30 | 2024-07-15 |
| HASH | 7b6d02a459fdaa4caa1a5bf741c4bd42 | 2024-01-30 | 2024-07-15 |
| HASH | c8e7b0d3b6afa22e801cacaf16b37355 | 2024-01-30 | 2024-07-15 |
| DOMAIN | ai.negapa.p-e.kr | 2024-01-30 | 2024-07-15 |
| DOMAIN | ar.kostin.p-e.kr | 2024-01-30 | 2024-07-15 |
| DOMAIN | ol.negapa.p-e.kr | 2024-01-30 | 2024-07-15 |
| DOMAIN | qi.limsjo.p-e.kr | 2024-01-30 | 2024-07-15 |
| DOMAIN | uo.zosua.o-r.kr | 2024-03-25 | 2024-07-05 |
| DOMAIN | main.winters.r-e.kr | 2024-03-25 | 2024-03-25 |
| DOMAIN | vn.ilnas.n-e.kr | 2024-03-25 | 2024-03-25 |
| DOMAIN | vm.rotsis.r-e.kr | 2024-03-25 | 2024-03-25 |
| DOMAIN | er.mexico.p-e.kr | 2024-03-25 | 2024-03-25 |
| DOMAIN | ai.namutech.p-e.kr | 2024-03-25 | 2024-03-25 |
| IPv4 | 103.11.64.167 | 2024-03-25 | 2024-03-25 |
| HASH | 2b678c0f59924ca90a753daa881e9fd3 | 2024-02-16 | 2024-03-25 |
| HASH | e4a6d47e9e60e4c858c1314d263aa317 | 2024-02-16 | 2024-03-25 |
| HASH | 4222492e069ac78a55d3451f4b9b9fca | 2024-02-16 | 2024-03-25 |
| HASH | 4168ff8b0a3e2f7e9c96afb653d42a01 | 2024-02-16 | 2024-03-25 |
| HASH | 013c4ee2b32511b11ee9540bb0fdb9d1 | 2024-02-16 | 2024-03-25 |
| HASH | 9360a895837177d8a23b2e3f79508059 | 2024-02-16 | 2024-03-25 |
| HASH | 42ea65fda0f92bbeca5f4535155125c7 | 2024-02-16 | 2024-03-25 |
| HASH | b532f3dcc788896c4844f36eb6cee3d1 | 2024-02-16 | 2024-03-25 |
| HASH | 62fba369711087ea37ef0b0ab62f3372 | 2024-02-16 | 2024-03-25 |
| HASH | d67abe980a397a94e1715df6e64eedc8 | 2024-02-16 | 2024-03-25 |
| HASH | 8d4af59eebdcda10f3c88049bb097a3a | 2024-02-16 | 2024-03-25 |
| HASH | b97abf7b17aeb4fa661594a4a1e5c77f | 2024-02-16 | 2024-03-25 |
| HASH | 2aaa3f1859102aab35519f0d4c1585dd | 2024-02-16 | 2024-03-25 |
| HASH | 035cf750c67de0ab2e6228409ac85ea3 | 2024-02-16 | 2024-03-25 |
| HASH | dc636da03e807258d2a10825780b4639 | 2024-02-16 | 2024-03-25 |
| HASH | 6097d030fe6f05ec0249e4d87b6be4a6 | 2024-02-16 | 2024-03-25 |
| DOMAIN | pe.daysol.p-e.kr | 2024-02-16 | 2024-03-25 |
| DOMAIN | ce.aerosp.p-e.kr | 2024-02-16 | 2024-03-25 |
| DOMAIN | ca.bananat.p-e.kr | 2024-02-16 | 2024-03-25 |
| DOMAIN | viewer.appofficer.kro.kr | 2024-02-16 | 2024-03-25 |
| DOMAIN | pi.selecto.p-e.kr | 2024-02-16 | 2024-03-25 |
| DOMAIN | ai.selecto.p-e.kr | 2024-02-16 | 2024-03-25 |
| DOMAIN | ai.ssungmin.p-e.kr | 2024-02-16 | 2024-03-25 |
| DOMAIN | ai.daysol.p-e.kr | 2024-02-16 | 2024-03-25 |
| DOMAIN | ai.bananat.p-e.kr | 2024-02-16 | 2024-03-25 |
| DOMAIN | ai.kimyy.p-e.kr | 2024-02-16 | 2024-03-25 |
| DOMAIN | li.ssungmin.p-e.kr | 2024-02-16 | 2024-03-25 |
| DOMAIN | ai.aerosp.p-e.kr | 2024-02-16 | 2024-03-25 |
| DOMAIN | ve.kimyy.p-e.kr | 2024-02-16 | 2024-03-25 |
| DOMAIN | qa.jaychoi.p-e.kr | 2024-02-16 | 2024-03-25 |
| IPv4 | 216.189.159.197 | 2024-02-07 | 2024-03-25 |
| HASH | 19c2decfa7271fa30e48d4750c1d18c1 | 2024-01-30 | 2024-03-25 |
| HASH | 87429e9223d45e0359cd1c41c0301836 | 2024-01-30 | 2024-03-25 |
| DOMAIN | ai.kostin.p-e.kr | 2024-01-30 | 2024-03-25 |
| DOMAIN | coolsystem.co.kr | 2024-01-30 | 2024-03-25 |
| DOMAIN | ai.limsjo.p-e.kr | 2024-01-30 | 2024-03-25 |
Related Actors
Related Reports
Shares tags: Kimsuky, TrollAgent • Shares 48 IOCs
Shares tags: Kimsuky, TrollAgent • Shares 48 IOCs
Shares tags: Kimsuky, YARA • Published within a month
Shares tags: Kimsuky, YARA • Published within a month
2024-07-15 •
60% Match
#Kimsuky
#TrollAgent
#T1082
#T1059.003
#T1005
#T1070.004
#T1041
#T1113
#T1071.001
#T1083
#T1036
#T1555.003
#T1057
#T1518.001
#T1539
#T1027.002
#T1016
#T1087.001
#T1218.011
Shares tags: Kimsuky, TrollAgent • Shares 14 IOCs
Shares tags: Kimsuky, YARA