MAR-10265965-1.v1 – North Korean Trojan: BISTROMATH | CISA
Tags
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Software - T1592.002 Vulnerabilities - T1588.006 Whois - T1596.002 |
Common Information
| Type | Value |
|---|---|
| UUID | ef2ad7c4-99fd-474a-a602-3ca0eebee4d0 |
| Fingerprint | d79ddbf74c7317ce |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 14, 2020, midnight |
| Added to db | Sept. 26, 2022, 9:30 a.m. |
| Last updated | Dec. 21, 2024, 3:26 a.m. |
| Headline | Malware Analysis Report (AR20-045A) |
| Title | MAR-10265965-1.v1 – North Korean Trojan: BISTROMATH | CISA |
| Detected Hints/Tags/Attributes | 47/2/25 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.us-cert.gov/ncas/analysis-reports/ar20-045a |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 154 | www.us-cert.gov |
|
| Details | Domain | 1 | planetcpp.com |
|
| Details | Domain | 26 | us-cert.gov |
|
| Details | Domain | 18 | dhs.sgov.gov |
|
| Details | Domain | 18 | dhs.ic.gov |
|
| Details | Domain | 84 | malware.us-cert.gov |
|
| Details | Domain | 84 | ftp.malware.us-cert.gov |
|
| Details | 17 | ncciccustomerservice@us-cert.gov |
||
| Details | 18 | us-cert@dhs.sgov.gov |
||
| Details | 18 | us-cert@dhs.ic.gov |
||
| Details | 16 | soc@us-cert.gov |
||
| Details | 84 | submit@malware.us-cert.gov |
||
| Details | sha256 | 2 | 04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30 |
|
| Details | sha256 | 2 | 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 |
|
| Details | sha256 | 2 | 618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6 |
|
| Details | sha256 | 2 | 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 |
|
| Details | sha256 | 1 | b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32 |
|
| Details | sha256 | 1 | 133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f |
|
| Details | sha256 | 1 | 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c |
|
| Details | IPv4 | 1 | 159.100.250.231 |
|
| Details | Url | 42 | http://www.us-cert.gov/tlp. |
|
| Details | Url | 21 | https://www.us-cert.gov/hiddencobra. |
|
| Details | Url | 17 | https://us-cert.gov/forms/feedback |
|
| Details | Url | 84 | https://malware.us-cert.gov |
|
| Details | Yara rule | 2 | rule CryptographyFunction {
meta:
author = "CISA trusted 3rd party"
incident = "10271944.r1.v1"
date = "2019-12-25"
category = "Hidden_Cobra"
family = "HOTCROISSANT"
strings:
$ALGO_crypto_1 = { 8A [1-5] 32 [1-4] 32 [1-4] 32 [1-4] 88 [1-5] 8A [1-4] 32 [1-4] 22 [1-4] 8B [1-5] 8D [3-7] 33 [1-4] 81 [3-7] C1 [1-5] C1 [1-5] 0B [1-4] 8D [1-5] 33 [1-4] 22 [1-4] C1 [1-5] 33 [1-4] 32 [1-4] 8B [1-4] 83 [1-5] C1 [1-5] 33 [1-4] C1 [1-5] C1 }
condition:
uint16(0) == 0x5A4D and any of them
} |