ioc-collection/LuckyMouse/README.md

# IoC for LuckyMouse

Malware analysis and more technical information at <https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/>


### Table of Contents
* [Samples (SHA-256)](#samples-sha-256)
* [Network indicators](#network-indicators)

## Samples (SHA-256)
### Backdoor PolPo
```
1EC731E955957FD06C42692BAE06C2EC13A39FE206ED65A5F145AE26D561C6BC
0F9657438FD7A3917B1A9E4026D5B2D9C92184582270657FEBE67BEC73D88DA6
FAB3A7E9708F750156BFA42DC5B8CF94FB24299AAF57B27023CD447A3D654EAD
C76FF6352464CF4C1A548273EAF7D1F5C29F459F9A1762D07264CBD059ED0701
```

### Bacdkoor LuckyBack
```
119C220303D57C7D7FC14CD971411FCFC2B09258CCB8C1495DE0B33B02342541
7807C0177CF37BCE6E38EF534F804935F505A24D735BAA53A18E2DA766EC136B
6A2083FE6A1046FC108D09656D8A062500BFB9F5475F969A8C586699E0D5363A
```

### Backdoor BlueTraveller
```
0791D3496C966858FBDE1C98D189D53BBF478F7CC2A3A3F3876EB56F42F0F36F
B2B744525989FB2AD99ED2652351FCA150589C5F3DECAF8E69F6ABCD325F88B5 (dropper)
``` 

### RAT HyperBro
```
2D2EA3002C367684F21AD08BDC9B5079EBDEE08B6356AC5694EFA139D4C6E60D
``` 

### RAT Korplug
```
F2343499E127CB3DF917AE139D1A300233EBE8D83C43D41FC925640B47CCBBA4 (http_dll.dat)
```

### Information Collector
```
56abd939abcc49570ab00eb4c5b0898c37549afd8539f4c8b7239530889807d1
6834CD58E413B46FE627FEC2218E5FADB1EF15E4CE6259E5812C0DE4062D005B
c0c5c4eae6122eea65f5b3d0edecedb7240b47160b110019f4092572dbb28b67
```

### Data extractor 1
```
F8DA8EAD6E74E93482C8C4857783BBFF13E17930C924D4B450E978A97CBFA4ED
```

### Data extractor 2
```
76538110C1207E47674BD7561AEA5CD41C8DDF7228A3FB141C70E7193EC04CD2
BE2DB9EB879B54C1C7220CF858EA3A4BD31E2474F3BE13D5ABEA2A0C1C24CA4B
```

### ShellCodeExecutor
```
3CF29801BB08C335B97B7FBEF86DF085EA848D6A6CC0790CCCFCECACE07879CB
```

### StartService 
```
b861eab09daec59d5bea634b1ecf0edad17f819dc381dfd472fd23b4d9412c40
7C9257945F61D0F807064AA3BCEE04192E5396784DDE4C258D82BF3DBDDC2708
```

### ServiceInstaller
```
DDDFFAD08343309561583F4AED1314949873E447E9BADB7B9619C36B0D96F9D6
```

### UAC Bypass
```
268945FDF918EF6CB9863072BB898D1019C0911D4BC3BEB60A8A6F63D958D2A6
```

### Lazagne
```
5D953D887ABF65FA7C8D3A2336B6EC8E510B1019819E93A6CFC0D767B0C89A4C
F7DF1B0B031BB5CE55A6DEDC83238838939A3DF6754DFC672302033BDA6C43EC
```

### Mimikatz
```
37286285CB0F8305BD23A693B2E7ACE71538E4C0B9F13EE6CA4E9E9419657813
11B680737EB744867F8194D0997B0B694DBE2D5EFDBCEF88D404B1F79B7F7B7A
EAD61053881B4B6531B1610AD6A41096F181D2793A0EFC353D5B92B92548A2F4
8EB83D8739BF93D182ACDEF104D212F028FC1BD70336B22E4DCD41896BB580D1
```

### PortScanner 
```
2F81A30C205ED7BCA253FD5D14C164CBA0FE5CCB63D0A6CE29ABF324A1FD4814
```

### Nbtscan
```
C9D5DC956841E000BFD8762E2F0B48B66C79B79500E894B4EFA7FB9BA17E4E9E
DA21AA6710528B9267833E2EF2E7974F5E7D32F02201FB63326FEA174926E78F
```


### Earthworm
```
0f11d142064c98c35258ad7e761b66980faa7fbc34ced687689b774e6b0c6efe
5D1732094EEADDB74017BDA0BEFC1379817D19BD0093FD4FA2FFDC2D146C24A9 (VM protected)
```

### FRP
```
247834006F766C942184F74757552B8FF243EC47892240329D23E80A88151605
```

## Network indicators
### C&C servers
```
202.179.0[.]142 8000
202.179.0[.]142 8080
202.179.5[.]161 443
202.179.5[.]85 8080
202.179.5[.]43 443
203.91.119[.]4 8000
202.59.9[.]58 80 
139.180.208[.]225
202.59.9[.]58 80 8443
106.13.149[.]126 443
139.180.208[.]225 443
139.180.155[.]133 80
45.77.55[.]145
oss.chrome-upgrade[.]com
go.vegispaceshop[.]org
web.microlynconline[.]com:80
home.microlynconline[.]com:8000
help.microlynconline[.]com:443
host.microlynconline[.]com:53

```
LuckyMouse: Added IoC files 2020-12-09 09:39:50 +00:00			`# IoC for LuckyMouse`

			`Malware analysis and more technical information at <https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/>`


			`### Table of Contents`
			`* [Samples (SHA-256)](#samples-sha-256)`
			`* [Network indicators](#network-indicators)`

LuckyMouse/README.md:fixed link 2020-12-09 13:46:25 +00:00			`## Samples (SHA-256)`
LuckyMouse: Added IoC files 2020-12-09 09:39:50 +00:00			`### Backdoor PolPo`
			```
			`1EC731E955957FD06C42692BAE06C2EC13A39FE206ED65A5F145AE26D561C6BC`
			`0F9657438FD7A3917B1A9E4026D5B2D9C92184582270657FEBE67BEC73D88DA6`
			`FAB3A7E9708F750156BFA42DC5B8CF94FB24299AAF57B27023CD447A3D654EAD`
			`C76FF6352464CF4C1A548273EAF7D1F5C29F459F9A1762D07264CBD059ED0701`
			```

			`### Bacdkoor LuckyBack`
			```
			`119C220303D57C7D7FC14CD971411FCFC2B09258CCB8C1495DE0B33B02342541`
			`7807C0177CF37BCE6E38EF534F804935F505A24D735BAA53A18E2DA766EC136B`
			`6A2083FE6A1046FC108D09656D8A062500BFB9F5475F969A8C586699E0D5363A`
			```

			`### Backdoor BlueTraveller`
			```
			`0791D3496C966858FBDE1C98D189D53BBF478F7CC2A3A3F3876EB56F42F0F36F`
			`B2B744525989FB2AD99ED2652351FCA150589C5F3DECAF8E69F6ABCD325F88B5 (dropper)`
			```

			`### RAT HyperBro`
			```
			`2D2EA3002C367684F21AD08BDC9B5079EBDEE08B6356AC5694EFA139D4C6E60D`
			```

			`### RAT Korplug`
			```
			`F2343499E127CB3DF917AE139D1A300233EBE8D83C43D41FC925640B47CCBBA4 (http_dll.dat)`
			```

			`### Information Collector`
			```
			`56abd939abcc49570ab00eb4c5b0898c37549afd8539f4c8b7239530889807d1`
			`6834CD58E413B46FE627FEC2218E5FADB1EF15E4CE6259E5812C0DE4062D005B`
			`c0c5c4eae6122eea65f5b3d0edecedb7240b47160b110019f4092572dbb28b67`
			```

			`### Data extractor 1`
			```
			`F8DA8EAD6E74E93482C8C4857783BBFF13E17930C924D4B450E978A97CBFA4ED`
			```

			`### Data extractor 2`
			```
			`76538110C1207E47674BD7561AEA5CD41C8DDF7228A3FB141C70E7193EC04CD2`
			`BE2DB9EB879B54C1C7220CF858EA3A4BD31E2474F3BE13D5ABEA2A0C1C24CA4B`
			```

			`### ShellCodeExecutor`
			```
			`3CF29801BB08C335B97B7FBEF86DF085EA848D6A6CC0790CCCFCECACE07879CB`
			```

			`### StartService`
			```
			`b861eab09daec59d5bea634b1ecf0edad17f819dc381dfd472fd23b4d9412c40`
			`7C9257945F61D0F807064AA3BCEE04192E5396784DDE4C258D82BF3DBDDC2708`
			```

			`### ServiceInstaller`
			```
			`DDDFFAD08343309561583F4AED1314949873E447E9BADB7B9619C36B0D96F9D6`
			```

			`### UAC Bypass`
			```
			`268945FDF918EF6CB9863072BB898D1019C0911D4BC3BEB60A8A6F63D958D2A6`
			```

			`### Lazagne`
			```
			`5D953D887ABF65FA7C8D3A2336B6EC8E510B1019819E93A6CFC0D767B0C89A4C`
			`F7DF1B0B031BB5CE55A6DEDC83238838939A3DF6754DFC672302033BDA6C43EC`
			```

			`### Mimikatz`
			```
			`37286285CB0F8305BD23A693B2E7ACE71538E4C0B9F13EE6CA4E9E9419657813`
			`11B680737EB744867F8194D0997B0B694DBE2D5EFDBCEF88D404B1F79B7F7B7A`
			`EAD61053881B4B6531B1610AD6A41096F181D2793A0EFC353D5B92B92548A2F4`
			`8EB83D8739BF93D182ACDEF104D212F028FC1BD70336B22E4DCD41896BB580D1`
			```

			`### PortScanner`
			```
			`2F81A30C205ED7BCA253FD5D14C164CBA0FE5CCB63D0A6CE29ABF324A1FD4814`
			```

			`### Nbtscan`
			```
			`C9D5DC956841E000BFD8762E2F0B48B66C79B79500E894B4EFA7FB9BA17E4E9E`
			`DA21AA6710528B9267833E2EF2E7974F5E7D32F02201FB63326FEA174926E78F`
			```


			`### Earthworm`
			```
			`0f11d142064c98c35258ad7e761b66980faa7fbc34ced687689b774e6b0c6efe`
			`5D1732094EEADDB74017BDA0BEFC1379817D19BD0093FD4FA2FFDC2D146C24A9 (VM protected)`
			```

			`### FRP`
			```
			`247834006F766C942184F74757552B8FF243EC47892240329D23E80A88151605`
			```

			`## Network indicators`
			`### C&C servers`
			```
			`202.179.0[.]142 8000`
			`202.179.0[.]142 8080`
			`202.179.5[.]161 443`
			`202.179.5[.]85 8080`
			`202.179.5[.]43 443`
			`203.91.119[.]4 8000`
			`202.59.9[.]58 80`
			`139.180.208[.]225`
			`202.59.9[.]58 80 8443`
			`106.13.149[.]126 443`
			`139.180.208[.]225 443`
			`139.180.155[.]133 80`
			`45.77.55[.]145`
			`oss.chrome-upgrade[.]com`
			`go.vegispaceshop[.]org`
			`web.microlynconline[.]com:80`
			`home.microlynconline[.]com:8000`
			`help.microlynconline[.]com:443`
			`host.microlynconline[.]com:53`

			```