South Korea Incident - New Malware samples

2013-04-24 Malware-reversing

http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html

Thumbnail for South Korea Incident - New Malware samples

The excerpt is a sample catalog rather than a full malware analysis, grouping related tools by PDB/debug strings: Concealment Troy, Http Dr0pper, Http Troy, PDF Exploit, TDrop, and additional package parts. It records PE timestamps from 2011-2013, MD5 hashes, packed and unpacked sizes, embedded executables/DLLs, resource contents, and development paths that suggest coordinated Windows malware build activity. Several samples include hardcoded HTTP endpoints on compromised-looking web paths such as login, member, goods, and message scripts, while others include PDF exploit packaging or AhnLab V3 self-extracting archive components. The value for defenders is the consolidated indicator set and build-path evidence, but the excerpt itself states it is only an overview and does not provide behavioral analysis or attribution.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 8fbc1f3048263aa0d4f56d119198ed04 2013-04-24 2020-03-09
DOMAIN babcom-h1.bluethunder.co 2013-04-24 2013-07-08
DOMAIN qitaegyo.com 2013-04-24 2013-07-08
DOMAIN traveler.foxlink.com 2013-04-24 2013-07-08
DOMAIN delmundo.kr 2013-04-24 2013-07-08
DOMAIN lawbookcenter.co.kr 2013-04-24 2013-07-08
DOMAIN nowq.net 2013-04-24 2013-07-08
DOMAIN sujewha.com 2013-04-24 2013-07-08
HASH fbfb61f214b89a7fe01c7fc9321fe51a 2013-04-24 2013-04-24
HASH b881c797af30caf2519136475f8e9995 2013-04-24 2013-04-24
HASH e280ed273e3c8e56a82171e51422da65 2013-04-24 2013-04-24
HASH b8b96fb1c0b1360fdb3be2d3ecff6da7 2013-04-24 2013-04-24
HASH d1782106b81464ce0866772d4f494a87 2013-04-24 2013-04-24
HASH 2bdd0194b499d694d75fff5514d53c40 2013-04-24 2013-04-24
HASH 8192cc6512076c16dc35840c9e283c91 2013-04-24 2013-04-24
HASH 97166e20b921219020cf9b590804afea 2013-04-24 2013-04-24
HASH e088a1b4f0384beaa802280d2f11605a 2013-04-24 2013-04-24
HASH c28f73737e5105ecdc98a73427088c7c 2013-04-24 2013-04-24
HASH c95cfec9d538250f94e696138ecd6ab2 2013-04-24 2013-04-24
HASH 6f375123f7d8df0f7460845528d9e0a1 2013-04-24 2013-04-24
HASH 152b264288bcf5dc02222cee49587b8e 2013-04-24 2013-04-24
HASH fbb1f08c540997c1c4d817a8269c900a 2013-04-24 2013-04-24
HASH c9b65b764985dfd7a11d3faf599c56b8 2013-04-24 2013-04-24
HASH a68c7116cf1cc7a1810b1b9555889f5e 2013-04-24 2013-04-24
HASH 1265957a6c44a23da14622675c26ce7a 2013-04-24 2013-04-24
HASH 8eba82be94e87eea3f456a8908ec287b 2013-04-24 2013-04-24
HASH 65d3483e47a196af7e00bd1c7df28367 2013-04-24 2013-04-24
HASH d6b59967c8e75cf8f85f9fff9a71ee55 2013-04-24 2013-04-24
HASH 1c91b0e3cf2e908f8ba10e7a4c741eb4 2013-04-24 2013-04-24
HASH 9b9a0edd4e8403b14badd659394ab491 2013-04-24 2013-04-24
HASH 028693c655be9ced65a5fdd419f870c1 2013-04-24 2013-04-24
HASH 41cffd9da299ab3c6ad8c04303558303 2013-04-24 2013-04-24
HASH ace6354688262926f3694eba0e856f93 2013-04-24 2013-04-24
HASH ec2fb1c71e58cc1b5c6287c3d1a87463 2013-04-24 2013-04-24
HASH f172bb194bac17a3991d63e130406661 2013-04-24 2013-04-24
HASH 91373b901ca888ec00fd5e0eb44641a2 2013-04-24 2013-04-24
HASH e5ca80611b44971242ce86a5e93e0bb1 2013-04-24 2013-04-24
HASH 158fd0a1d1ae027b1569adbebb2d3e66 2013-04-24 2013-04-24
HASH d7e8f73493534bf40cc6db4d309951ac 2013-04-24 2013-04-24
HASH 67c341676a795013be3d8237d1491c23 2013-04-24 2013-04-24
HASH 4249502d550b88d5722dfdded024756f 2013-04-24 2013-04-24
HASH 7fdcae6d4b26be8ba730647dbaf60123 2013-04-24 2013-04-24
HASH 3b0068227dd0833125956ac62c44e713 2013-04-24 2013-04-24
HASH 9e26cefec658e519376ff8f25280b8b6 2013-04-24 2013-04-24
HASH da6422053c1ff233c897e0e17fa80a16 2013-04-24 2013-04-24
HASH ec887c65ed4b57ebcd535a3d065ec9eb 2013-04-24 2013-04-24
HASH b1947b493aac4055f4cb3e793882a07e 2013-04-24 2013-04-24
HASH dfabbe5d1f9514d0b7e3cbd1533b9698 2013-04-24 2013-04-24
HASH 912c43b9671155f239f6652b879025e8 2013-04-24 2013-04-24
HASH 0812115b49786bce91d67556f2413003 2013-04-24 2013-04-24
HASH ebc7741e6e0115c2cf992860a7c7eae7 2013-04-24 2013-04-24
HASH 7ef56a024343baca47051e3c217bedbf 2013-04-24 2013-04-24
HASH 539251e10a1366246514a4e9d96f5750 2013-04-24 2013-04-24
HASH f3a4ec6eb26fdf2104f11a23b32684d3 2013-04-24 2013-04-24
HASH 8f75f32c667c62ebeffa6907efcba3f8 2013-04-24 2013-04-24
HASH ab456ace1530658397dc9a60279d9450 2013-04-24 2013-04-24
HASH f0c4892e5a7ebb7107e906cc3deee1d5 2013-04-24 2013-04-24
HASH 3456f42bba032cff5518a5e5256cc433 2013-04-24 2013-04-24
HASH d177a29c3d19a9e7dfa9e5fd66c0b8cb 2013-04-24 2013-04-24
HASH 42b175e68d3c2d1d8afe7a4719ec9804 2013-04-24 2013-04-24
HASH 854c800489e0f6cfc1e26f4a3bdb1c9b 2013-04-24 2013-04-24
HASH 861def06a85f2439a8c80f760d599aaf 2013-04-24 2013-04-24
HASH 3504eeaafbdbfb7867a24065bf5c8cd0 2013-04-24 2013-04-24
HASH 813d061abe874c1eedf907fed6022343 2013-04-24 2013-04-24
HASH 5fa4dc5d15df823187fbf1ac8eb64776 2013-04-24 2013-04-24
HASH 417583cb8687c41f336f7d7013b89ec8 2013-04-24 2013-04-24
HASH 9674d77daa86bf4736623f4f4191bfa7 2013-04-24 2013-04-24
HASH 0629e207bb9669359c867000ec3a4d9e 2013-04-24 2013-04-24
HASH 6a4895f0b647674cb19d31a38ebec7f4 2013-04-24 2013-04-24
HASH aaf3bf7f33cdf71661f367a931626dd6 2013-04-24 2013-04-24
HASH f0306ef42e300d36c6a331203e67edf3 2013-04-24 2013-04-24
HASH 0c6663ea04ea2940d6d43e650a877a23 2013-04-24 2013-04-24
HASH 61fdacf830d5b51aa22e3f5b40e86763 2013-04-24 2013-04-24
HASH c1fb527d87280b128cac84e61ad107e7 2013-04-24 2013-04-24
HASH 43771061ff9ba8734b35e8e6c73bccba 2013-04-24 2013-04-24
HASH 4687a05abbc463b092a136bab2b0b8c1 2013-04-24 2013-04-24
HASH 758589df298cd282e904148520c88e98 2013-04-24 2013-04-24
HASH fa32cfa9a10f78dc0f790e577bedfdd5 2013-04-24 2013-04-24
URL http://nowq.net/rgboard/addon/m… 2013-04-24 2013-04-24
URL https://www.dropbox.com/s/w1892… 2013-04-24 2013-04-24
URL https://www.dropbox.com/s/wn5a1… 2013-04-24 2013-04-24
URL http://solarshade.co.kr/eml/goo… 2013-04-24 2013-04-24
URL http://www.theumin.net/bbs/logi… 2013-04-24 2013-04-24
URL https://www.dropbox.com/s/mqp1b… 2013-04-24 2013-04-24
URL http://lawbookcenter.co.kr/shop… 2013-04-24 2013-04-24
URL http://qitaegyo.com/rgboard/dat… 2013-04-24 2013-04-24
URL https://www.dropbox.com/s/fzk9b… 2013-04-24 2013-04-24
URL http://www.toneharbor.com/Allpl… 2013-04-24 2013-04-24
URL http://traveler.foxlink.com/cha… 2013-04-24 2013-04-24
URL http://yaryar.ivyro.net/bbs/sen… 2013-04-24 2013-04-24
URL http://dong-a.jp/upload/csv/log… 2013-04-24 2013-04-24
URL http://sujewha.com/sms/login_ok… 2013-04-24 2013-04-24
URL http://www.pnpdent.com/bbs/send… 2013-04-24 2013-04-24
URL http://www.hanja-edu.com/bbs/lo… 2013-04-24 2013-04-24
URL http://delmundo.kr/bbs/login_ok… 2013-04-24 2013-04-24
URL https://www.dropbox.com/s/lvzj1… 2013-04-24 2013-04-24
URL https://www.dropbox.com/s/n6h6v… 2013-04-24 2013-04-24
URL http://babcom-h1.bluethunder.co… 2013-04-24 2013-04-24
URL http://www.gcglobal.com/challen… 2013-04-24 2013-04-24
DOMAIN solarshade.co.kr 2013-04-24 2013-04-24
DOMAIN yaryar.ivyro.net 2013-04-24 2013-04-24
DOMAIN dong-a.jp 2013-04-24 2013-04-24
HASH a03ae3a480dd17134b04dbc5e62bf57b 2013-04-02 2013-04-24
HASH 50e03200c3a0becbf33b3788dac8cd46 2013-03-29 2013-04-24

Related Reports

« Back