ioc[.]one - OSINT Cyber Threat Intelligence Database

MAR-10135536-8 – North Korean Trojan: HOPLIGHT | CISA

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Dns - T1071.004 Dns - T1590.002 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Software - T1592.002 Vulnerabilities - T1588.006 Whois - T1596.002

Show in Graph

Common Information

Type	Value
UUID	320d69d7-bdb1-4231-93b5-9f06a3c78f45
Fingerprint	9bccd9d7616b1b4f
Analysis status	DONE
Considered CTI value	2
Text language
Published	April 10, 2019, midnight
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 17, 2024, 5:55 p.m.
Headline	Malware Analysis Report (AR19-100A)
Title	MAR-10135536-8 – North Korean Trojan: HOPLIGHT \| CISA
Detected Hints/Tags/Attributes	49/2/87

Source URLs

	Redirection	Url
Details	Source	https://www.us-cert.gov/ncas/analysis-reports/AR19-100A

URL Provider

Details	Provider	Source level domain
Details	us-cert.gov	www.us-cert.gov

Attributes

Details	Type	#Events	Value
Details	Domain	145	www.us-cert.gov
Details	Domain	3	zol-ad-bdc.zol.co.zw
Details	Domain	3	mail.everzone.co.kr
Details	Domain	4	ameritech.net
Details	Domain	4	frontiernet.net
Details	Domain	3	nextgentel.com
Details	Domain	6	charter.com
Details	Domain	3	uci.edu
Details	Domain	31	naver.com
Details	Domain	25	us-cert.gov
Details	Domain	18	dhs.sgov.gov
Details	Domain	18	dhs.ic.gov
Details	Domain	84	malware.us-cert.gov
Details	Domain	84	ftp.malware.us-cert.gov
Details	Email	17	ncciccustomerservice@us-cert.gov
Details	Email	18	us-cert@dhs.sgov.gov
Details	Email	18	us-cert@dhs.ic.gov
Details	Email	16	soc@us-cert.gov
Details	Email	84	submit@malware.us-cert.gov
Details	File	4	rdpproto.dll
Details	File	4	udbcgiut.dat
Details	File	3	msdfmapi.ini
Details	File	3	udptrcsvc.dll
Details	File	3	'udbcgiut.dat
Details	File	3	malware2.exe
Details	File	3	malware3.exe
Details	File	3	malware5.exe
Details	File	3	'malware5.dll
Details	File	3	'malware2.dll
Details	File	3	'vote_controller.dll
Details	File	3	'rdpproto.dll
Details	File	3	vote_controller.dll
Details	File	3	'udptrcsvc.dll
Details	File	3	'msdfmapi.ini
Details	md5	3	23E27E5482E3F55BF828DAB885569033
Details	md5	3	868036E102DF4CE414B0E6700825B319
Details	md5	3	42682D4A78FE5C2EDA988185A344637D
Details	sha256	4	05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461
Details	sha256	4	12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d
Details	sha256	4	2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
Details	sha256	4	4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
Details	sha256	4	4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818
Details	sha256	4	70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
Details	sha256	4	83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a
Details	sha256	4	d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39
Details	sha256	4	ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
Details	sha256	3	49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
Details	sha256	3	70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
Details	sha256	3	96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
Details	sha256	3	cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f
Details	IPv4	4	112.175.92.57
Details	IPv4	4	113.114.117.122
Details	IPv4	3	128.200.115.228
Details	IPv4	4	137.139.135.151
Details	IPv4	4	181.39.135.126
Details	IPv4	4	186.169.2.237
Details	IPv4	4	197.211.212.59
Details	IPv4	4	21.252.107.198
Details	IPv4	4	26.165.218.44
Details	IPv4	4	47.206.4.145
Details	IPv4	4	70.224.36.194
Details	IPv4	4	81.94.192.10
Details	IPv4	4	81.94.192.147
Details	IPv4	4	84.49.242.125
Details	IPv4	4	97.90.44.200
Details	IPv4	3	197.211.208.0
Details	IPv4	3	197.211.215.255
Details	IPv4	3	181.39.135.120
Details	IPv4	3	112.160.0.0
Details	IPv4	3	112.191.255.255
Details	IPv4	3	81.94.192.0
Details	IPv4	3	81.94.192.255
Details	IPv4	9	21.0.0.0
Details	IPv4	4	21.255.255.255
Details	IPv4	3	113.112.0.0
Details	IPv4	3	113.119.255.255
Details	IPv4	8	26.0.0.0
Details	IPv4	3	26.255.255.255
Details	IPv4	3	137.139.0.0
Details	IPv4	3	137.139.255.255
Details	Url	42	http://www.us-cert.gov/tlp.
Details	Url	21	https://www.us-cert.gov/hiddencobra.
Details	Url	17	https://us-cert.gov/forms/feedback
Details	Url	84	https://malware.us-cert.gov
Details	Yara rule	2	rule crypt_constants_2 { meta: Author = "NCCIC trusted 3rd party" Incident = "10135536" Date = "2018/04/19" category = "hidden_cobra" family = "n/a" description = "n/a" strings: $ = { EF CD AB 90 } $ = { 55 84 26 FE } $ = { 78 56 B4 C2 } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them }
Details	Yara rule	2	rule lsfr_constants { meta: Author = "NCCIC trusted 3rd party" Incident = "10135536" Date = "2018/04/19" category = "hidden_cobra" family = "n/a" description = "n/a" strings: $ = { EF CD AB 90 } $ = { 55 84 26 FE } $ = { 78 56 B4 C2 } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them }
Details	Yara rule	2	rule polarSSL_servernames { meta: Author = "NCCIC trusted 3rd party" Incident = "10135536" Date = "2018/04/19" category = "hidden_cobra" family = "n/a" description = "n/a" strings: $polarSSL = "fjiejffndxklfsdkfjsaadiepwn" $sn1 = "www.google.com" $sn2 = "www.naver.com" condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) - -0x4550) and ($polarSSL and 1 of ($sn*)) }