ioc[.]one - OSINT Cyber Threat Intelligence Database

MAR-10135536-8.v4 – North Korean Trojan: HOPLIGHT | CISA

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Dns - T1071.004 Dns - T1590.002 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Whois - T1596.002

Show in Graph

Common Information

Type	Value
UUID	cabe5ed2-36d1-4181-94e9-548d7a139d3d
Fingerprint	afc4197c492bd42c
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 14, 2020, midnight
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 19, 2024, 1:59 p.m.
Headline	Malware Analysis Report (AR20-045G)
Title	MAR-10135536-8.v4 – North Korean Trojan: HOPLIGHT \| CISA
Detected Hints/Tags/Attributes	59/2/118

Source URLs

	Redirection	Url
Details	Source	https://www.us-cert.gov/ncas/analysis-reports/ar20-045g

URL Provider

Details	Provider	Source level domain
Details	us-cert.gov	www.us-cert.gov

Attributes

Details	Type	#Events	Value
Details	Domain	145	www.us-cert.gov
Details	Domain	455	www.google.com
Details	Domain	4	www.naver.com
Details	Domain	3	zol-ad-bdc.zol.co.zw
Details	Domain	3	mail.everzone.co.kr
Details	Domain	4	ameritech.net
Details	Domain	4	frontiernet.net
Details	Domain	3	nextgentel.com
Details	Domain	6	charter.com
Details	Domain	3	uci.edu
Details	Domain	31	naver.com
Details	Domain	25	us-cert.gov
Details	Domain	18	dhs.sgov.gov
Details	Domain	18	dhs.ic.gov
Details	Domain	84	malware.us-cert.gov
Details	Domain	84	ftp.malware.us-cert.gov
Details	Email	17	ncciccustomerservice@us-cert.gov
Details	Email	18	us-cert@dhs.sgov.gov
Details	Email	18	us-cert@dhs.ic.gov
Details	Email	16	soc@us-cert.gov
Details	Email	84	submit@malware.us-cert.gov
Details	File	4	rdpproto.dll
Details	File	4	udbcgiut.dat
Details	File	3	msdfmapi.ini
Details	File	3	udptrcsvc.dll
Details	File	3	'udbcgiut.dat
Details	File	3	malware2.exe
Details	File	3	malware3.exe
Details	File	3	malware5.exe
Details	File	3	'malware5.dll
Details	File	3	'malware2.dll
Details	File	3	'vote_controller.dll
Details	File	3	'rdpproto.dll
Details	File	3	vote_controller.dll
Details	File	3	'udptrcsvc.dll
Details	File	3	'msdfmapi.ini
Details	File	2	c:\windows\msncone.exe
Details	File	1	c:\windows\system32\dispark.dll
Details	File	1	c:\windows\system32\diskpart.dll
Details	md5	3	23E27E5482E3F55BF828DAB885569033
Details	md5	3	868036E102DF4CE414B0E6700825B319
Details	md5	3	42682D4A78FE5C2EDA988185A344637D
Details	md5	2	34E56056E5741F33D823859E77235ED9
Details	md5	2	2FF1688FE866EC2871169197F9D46936
Details	md5	1	E5D1C42E5CA7A0AC3A3B31BD0F290E84
Details	md5	1	7AFF84FB44840E4FD53CC9561172E14B
Details	sha256	4	05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461
Details	sha256	2	0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571
Details	sha256	2	084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319
Details	sha256	4	12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d
Details	sha256	2	1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676
Details	sha256	4	2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525
Details	sha256	2	32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11
Details	sha256	4	4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761
Details	sha256	4	4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818
Details	sha256	4	70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3
Details	sha256	2	73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33
Details	sha256	4	83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a
Details	sha256	2	8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520
Details	sha256	2	b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9
Details	sha256	2	b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101
Details	sha256	2	c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8
Details	sha256	4	d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39
Details	sha256	4	ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d
Details	sha256	2	f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03
Details	sha256	2	fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5
Details	sha256	1	44a93ea6e6796530bb3cf99555dfb3b1092ed8fb4336bb198ca15b2a21d32980
Details	sha256	3	49757cf85657757704656c079785c072bbc233cab942418d99d1f63d43f28359
Details	sha256	3	70902623c9cd0cccc8513850072b70732d02c266c7b7e96d2d5b2ed4f5edc289
Details	sha256	1	823d255d3dc8cbc402527072a9220e4c38655de1a3e55a465db28b55d3ac1bf8
Details	sha256	3	96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
Details	sha256	1	ba80cb0a08908782f4b6e88aa15e2d306b19bc93e79bd8770bf8be904fd1bd09
Details	sha256	3	cd5ff67ff773cc60c98c35f9e9d514b597cbd148789547ba152ba67bfc0fec8f
Details	IPv4	4	112.175.92.57
Details	IPv4	4	113.114.117.122
Details	IPv4	2	117.239.241.2
Details	IPv4	2	119.18.230.253
Details	IPv4	3	128.200.115.228
Details	IPv4	4	137.139.135.151
Details	IPv4	3	14.140.116.172
Details	IPv4	4	181.39.135.126
Details	IPv4	4	186.169.2.237
Details	IPv4	2	195.158.234.60
Details	IPv4	4	197.211.212.59
Details	IPv4	4	21.252.107.198
Details	IPv4	2	210.137.6.37
Details	IPv4	2	217.117.4.110
Details	IPv4	2	218.255.24.226
Details	IPv4	4	221.138.17.152
Details	IPv4	4	26.165.218.44
Details	IPv4	4	47.206.4.145
Details	IPv4	4	70.224.36.194
Details	IPv4	4	81.94.192.10
Details	IPv4	4	81.94.192.147
Details	IPv4	4	84.49.242.125
Details	IPv4	4	97.90.44.200
Details	IPv4	3	197.211.208.0
Details	IPv4	3	197.211.215.255
Details	IPv4	3	181.39.135.120
Details	IPv4	3	112.160.0.0
Details	IPv4	3	112.191.255.255
Details	IPv4	3	81.94.192.0
Details	IPv4	3	81.94.192.255
Details	IPv4	9	21.0.0.0
Details	IPv4	4	21.255.255.255
Details	IPv4	3	113.112.0.0
Details	IPv4	3	113.119.255.255
Details	IPv4	8	26.0.0.0
Details	IPv4	3	26.255.255.255
Details	IPv4	3	137.139.0.0
Details	IPv4	3	137.139.255.255
Details	Url	42	http://www.us-cert.gov/tlp.
Details	Url	21	https://www.us-cert.gov/hiddencobra.
Details	Url	17	https://us-cert.gov/forms/feedback
Details	Url	84	https://malware.us-cert.gov
Details	Yara rule	2	rule crypt_constants_2 { meta: Author = "NCCIC trusted 3rd party" Incident = "10135536" Date = "2018/04/19" category = "hidden_cobra" family = "n/a" description = "n/a" strings: $ = { EF CD AB 90 } $ = { 55 84 26 FE } $ = { 78 56 B4 C2 } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them }
Details	Yara rule	2	rule lsfr_constants { meta: Author = "NCCIC trusted 3rd party" Incident = "10135536" Date = "2018/04/19" category = "hidden_cobra" family = "n/a" description = "n/a" strings: $ = { EF CD AB 90 } $ = { 55 84 26 FE } $ = { 78 56 B4 C2 } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them }
Details	Yara rule	2	rule polarSSL_servernames { meta: Author = "NCCIC trusted 3rd party" Incident = "10135536" Date = "2018/04/19" category = "hidden_cobra" family = "n/a" description = "n/a" strings: $polarSSL = "fjiejffndxklfsdkfjsaadiepwn" $sn1 = "www.google.com" $sn2 = "www.naver.com" condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) - -0x4550) and ($polarSSL and 1 of ($sn*)) }