TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

北朝鮮グループ由来の新種トロイの木馬「BANKSHOT」が判明 - 米政府が注意喚起

【ニュース】

◆北朝鮮グループ由来の新種トロイの木馬「BANKSHOT」が判明 - 米政府が注意喚起 (Security NEXT, 2017/12/25)
http://www.security-next.com/088782

◆ALERT: NORTH KOREAN MALICIOUS CYBER ACTIVITY (INFOWARS, 2017/12/21)
https://www.infowars.com/alert-north-korean-malicious-cyber-activity/


【公開情報】

◆Malware Analysis Report (MAR) - 10135536-B (US-CERT, 2017/12/13)
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF

【インディケータ情報】

■ハッシュ情報(MD5)

  • 0137f688436c468d43b3e50878ec1a1f
  • 114d8db4843748d79861b49343c8b7ca
  • 2950e3741d7af69e0ca0c5013abc4209
  • 964b291ad9bafa471da3f80fb262dbe7
  • 9e4d9edb07c348b10863d89b6bb08141
  • c74e289ad927e81d2a1a56bc73e394ab
  • fc9e40100d8dfae2df0f30a3414f50ec

■Yara

rule Unauthorized_Proxy_Server_RAT
{
meta:
Author="US-CERT Code Analysis Team"

Incident="10135536"
MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB"
MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209"

Info="Detects Proxy Server RAT"

super_rule = 1

strings:
$s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3}
$s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3}
$s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3}
$s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3}
$s4 = {B91A7900008A140780F29A8810404975F4}
$s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9FD19CA59F7E9F539CEF9F029F969C6C9E5C9D949FC99F}
$s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3}
TLP:WHITE
US-CERT MAR-10135536-B



2 of 12
TLP:WHITE
$s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC}
$s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24}
$s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523}
$s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0}
$s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7}
$s12 = {448BE8B84FECC44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541}
$s13 = {8A0A80F9627C2380F9797F1E80F9647C0A80F96D7F0580C10BEB0D80F96F7C0A80F9787F05}
condition:
any of them
}


Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2020