Skip to content

Latest commit

 

History

History

LuckyMouse

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
samples.md5
samples.md5
 
 
samples.sha1
samples.sha1
 
 
samples.sha256
samples.sha256
 
 

README.md

IoC for LuckyMouse

Malware analysis and more technical information at https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/

Table of Contents

Samples (SHA-256)

Backdoor PolPo

1EC731E955957FD06C42692BAE06C2EC13A39FE206ED65A5F145AE26D561C6BC
0F9657438FD7A3917B1A9E4026D5B2D9C92184582270657FEBE67BEC73D88DA6
FAB3A7E9708F750156BFA42DC5B8CF94FB24299AAF57B27023CD447A3D654EAD
C76FF6352464CF4C1A548273EAF7D1F5C29F459F9A1762D07264CBD059ED0701

Bacdkoor LuckyBack

119C220303D57C7D7FC14CD971411FCFC2B09258CCB8C1495DE0B33B02342541
7807C0177CF37BCE6E38EF534F804935F505A24D735BAA53A18E2DA766EC136B
6A2083FE6A1046FC108D09656D8A062500BFB9F5475F969A8C586699E0D5363A

Backdoor BlueTraveller

0791D3496C966858FBDE1C98D189D53BBF478F7CC2A3A3F3876EB56F42F0F36F
B2B744525989FB2AD99ED2652351FCA150589C5F3DECAF8E69F6ABCD325F88B5 (dropper)

RAT HyperBro

2D2EA3002C367684F21AD08BDC9B5079EBDEE08B6356AC5694EFA139D4C6E60D

RAT Korplug

F2343499E127CB3DF917AE139D1A300233EBE8D83C43D41FC925640B47CCBBA4 (http_dll.dat)

Information Collector

56abd939abcc49570ab00eb4c5b0898c37549afd8539f4c8b7239530889807d1
6834CD58E413B46FE627FEC2218E5FADB1EF15E4CE6259E5812C0DE4062D005B
c0c5c4eae6122eea65f5b3d0edecedb7240b47160b110019f4092572dbb28b67

Data extractor 1

F8DA8EAD6E74E93482C8C4857783BBFF13E17930C924D4B450E978A97CBFA4ED

Data extractor 2

76538110C1207E47674BD7561AEA5CD41C8DDF7228A3FB141C70E7193EC04CD2
BE2DB9EB879B54C1C7220CF858EA3A4BD31E2474F3BE13D5ABEA2A0C1C24CA4B

ShellCodeExecutor

3CF29801BB08C335B97B7FBEF86DF085EA848D6A6CC0790CCCFCECACE07879CB

StartService

b861eab09daec59d5bea634b1ecf0edad17f819dc381dfd472fd23b4d9412c40
7C9257945F61D0F807064AA3BCEE04192E5396784DDE4C258D82BF3DBDDC2708

ServiceInstaller

DDDFFAD08343309561583F4AED1314949873E447E9BADB7B9619C36B0D96F9D6

UAC Bypass

268945FDF918EF6CB9863072BB898D1019C0911D4BC3BEB60A8A6F63D958D2A6

Lazagne

5D953D887ABF65FA7C8D3A2336B6EC8E510B1019819E93A6CFC0D767B0C89A4C
F7DF1B0B031BB5CE55A6DEDC83238838939A3DF6754DFC672302033BDA6C43EC

Mimikatz

37286285CB0F8305BD23A693B2E7ACE71538E4C0B9F13EE6CA4E9E9419657813
11B680737EB744867F8194D0997B0B694DBE2D5EFDBCEF88D404B1F79B7F7B7A
EAD61053881B4B6531B1610AD6A41096F181D2793A0EFC353D5B92B92548A2F4
8EB83D8739BF93D182ACDEF104D212F028FC1BD70336B22E4DCD41896BB580D1

PortScanner

2F81A30C205ED7BCA253FD5D14C164CBA0FE5CCB63D0A6CE29ABF324A1FD4814

Nbtscan

C9D5DC956841E000BFD8762E2F0B48B66C79B79500E894B4EFA7FB9BA17E4E9E
DA21AA6710528B9267833E2EF2E7974F5E7D32F02201FB63326FEA174926E78F

Earthworm

0f11d142064c98c35258ad7e761b66980faa7fbc34ced687689b774e6b0c6efe
5D1732094EEADDB74017BDA0BEFC1379817D19BD0093FD4FA2FFDC2D146C24A9 (VM protected)

FRP

247834006F766C942184F74757552B8FF243EC47892240329D23E80A88151605

Network indicators

C&C servers

202.179.0[.]142 8000
202.179.0[.]142 8080
202.179.5[.]161 443
202.179.5[.]85 8080
202.179.5[.]43 443
203.91.119[.]4 8000
202.59.9[.]58 80 
139.180.208[.]225
202.59.9[.]58 80 8443
106.13.149[.]126 443
139.180.208[.]225 443
139.180.155[.]133 80
45.77.55[.]145
oss.chrome-upgrade[.]com
go.vegispaceshop[.]org
web.microlynconline[.]com:80
home.microlynconline[.]com:8000
help.microlynconline[.]com:443
host.microlynconline[.]com:53