From 1065889aaf23b0070a763ec388a750594051bf1c Mon Sep 17 00:00:00 2001
From: LuiginoCamastra <luigino.camastra@avast.com>
Date: Wed, 9 Dec 2020 10:39:50 +0100
Subject: [PATCH] LuckyMouse: Added IoC files

---
 LuckyMouse/README.md      | 140 ++++++++++++++++++++++++++++++++++++++
 LuckyMouse/samples.md5    |  34 +++++++++
 LuckyMouse/samples.sha1   |  34 +++++++++
 LuckyMouse/samples.sha256 |  34 +++++++++
 4 files changed, 242 insertions(+)
 create mode 100644 LuckyMouse/README.md
 create mode 100644 LuckyMouse/samples.md5
 create mode 100644 LuckyMouse/samples.sha1
 create mode 100644 LuckyMouse/samples.sha256

diff --git a/LuckyMouse/README.md b/LuckyMouse/README.md
new file mode 100644
index 0000000..9138702
--- /dev/null
+++ b/LuckyMouse/README.md
@@ -0,0 +1,140 @@
+# IoC for LuckyMouse
+
+Malware analysis and more technical information at <https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/>
+
+
+### Table of Contents
+* [Samples (SHA-256)](#samples-sha-256)
+* [Network indicators](#network-indicators)
+
+### Backdoor PolPo
+```
+1EC731E955957FD06C42692BAE06C2EC13A39FE206ED65A5F145AE26D561C6BC
+0F9657438FD7A3917B1A9E4026D5B2D9C92184582270657FEBE67BEC73D88DA6
+FAB3A7E9708F750156BFA42DC5B8CF94FB24299AAF57B27023CD447A3D654EAD
+C76FF6352464CF4C1A548273EAF7D1F5C29F459F9A1762D07264CBD059ED0701
+```
+
+### Bacdkoor LuckyBack
+```
+119C220303D57C7D7FC14CD971411FCFC2B09258CCB8C1495DE0B33B02342541
+7807C0177CF37BCE6E38EF534F804935F505A24D735BAA53A18E2DA766EC136B
+6A2083FE6A1046FC108D09656D8A062500BFB9F5475F969A8C586699E0D5363A
+```
+
+### Backdoor BlueTraveller
+```
+0791D3496C966858FBDE1C98D189D53BBF478F7CC2A3A3F3876EB56F42F0F36F
+B2B744525989FB2AD99ED2652351FCA150589C5F3DECAF8E69F6ABCD325F88B5 (dropper)
+``` 
+
+### RAT HyperBro
+```
+2D2EA3002C367684F21AD08BDC9B5079EBDEE08B6356AC5694EFA139D4C6E60D
+``` 
+
+### RAT Korplug
+```
+F2343499E127CB3DF917AE139D1A300233EBE8D83C43D41FC925640B47CCBBA4 (http_dll.dat)
+```
+
+### Information Collector
+```
+56abd939abcc49570ab00eb4c5b0898c37549afd8539f4c8b7239530889807d1
+6834CD58E413B46FE627FEC2218E5FADB1EF15E4CE6259E5812C0DE4062D005B
+c0c5c4eae6122eea65f5b3d0edecedb7240b47160b110019f4092572dbb28b67
+```
+
+### Data extractor 1
+```
+F8DA8EAD6E74E93482C8C4857783BBFF13E17930C924D4B450E978A97CBFA4ED
+```
+
+### Data extractor 2
+```
+76538110C1207E47674BD7561AEA5CD41C8DDF7228A3FB141C70E7193EC04CD2
+BE2DB9EB879B54C1C7220CF858EA3A4BD31E2474F3BE13D5ABEA2A0C1C24CA4B
+```
+
+### ShellCodeExecutor
+```
+3CF29801BB08C335B97B7FBEF86DF085EA848D6A6CC0790CCCFCECACE07879CB
+```
+
+### StartService 
+```
+b861eab09daec59d5bea634b1ecf0edad17f819dc381dfd472fd23b4d9412c40
+7C9257945F61D0F807064AA3BCEE04192E5396784DDE4C258D82BF3DBDDC2708
+```
+
+### ServiceInstaller
+```
+DDDFFAD08343309561583F4AED1314949873E447E9BADB7B9619C36B0D96F9D6
+```
+
+### UAC Bypass
+```
+268945FDF918EF6CB9863072BB898D1019C0911D4BC3BEB60A8A6F63D958D2A6
+```
+
+### Lazagne
+```
+5D953D887ABF65FA7C8D3A2336B6EC8E510B1019819E93A6CFC0D767B0C89A4C
+F7DF1B0B031BB5CE55A6DEDC83238838939A3DF6754DFC672302033BDA6C43EC
+```
+
+### Mimikatz
+```
+37286285CB0F8305BD23A693B2E7ACE71538E4C0B9F13EE6CA4E9E9419657813
+11B680737EB744867F8194D0997B0B694DBE2D5EFDBCEF88D404B1F79B7F7B7A
+EAD61053881B4B6531B1610AD6A41096F181D2793A0EFC353D5B92B92548A2F4
+8EB83D8739BF93D182ACDEF104D212F028FC1BD70336B22E4DCD41896BB580D1
+```
+
+### PortScanner 
+```
+2F81A30C205ED7BCA253FD5D14C164CBA0FE5CCB63D0A6CE29ABF324A1FD4814
+```
+
+### Nbtscan
+```
+C9D5DC956841E000BFD8762E2F0B48B66C79B79500E894B4EFA7FB9BA17E4E9E
+DA21AA6710528B9267833E2EF2E7974F5E7D32F02201FB63326FEA174926E78F
+```
+
+
+### Earthworm
+```
+0f11d142064c98c35258ad7e761b66980faa7fbc34ced687689b774e6b0c6efe
+5D1732094EEADDB74017BDA0BEFC1379817D19BD0093FD4FA2FFDC2D146C24A9 (VM protected)
+```
+
+### FRP
+```
+247834006F766C942184F74757552B8FF243EC47892240329D23E80A88151605
+```
+
+## Network indicators
+### C&C servers
+```
+202.179.0[.]142 8000
+202.179.0[.]142 8080
+202.179.5[.]161 443
+202.179.5[.]85 8080
+202.179.5[.]43 443
+203.91.119[.]4 8000
+202.59.9[.]58 80 
+139.180.208[.]225
+202.59.9[.]58 80 8443
+106.13.149[.]126 443
+139.180.208[.]225 443
+139.180.155[.]133 80
+45.77.55[.]145
+oss.chrome-upgrade[.]com
+go.vegispaceshop[.]org
+web.microlynconline[.]com:80
+home.microlynconline[.]com:8000
+help.microlynconline[.]com:443
+host.microlynconline[.]com:53
+
+```
diff --git a/LuckyMouse/samples.md5 b/LuckyMouse/samples.md5
new file mode 100644
index 0000000..4ee8da0
--- /dev/null
+++ b/LuckyMouse/samples.md5
@@ -0,0 +1,34 @@
+cf6e8da9e3925a16bdc290c04f0325fb
+47143ea37a33dc13d3654091852c6b2f
+9a995b7e3fd7af308a54b2d7e2009b6a
+af9230660f269213d8d3d72aacb95f1c
+7bb46a00d5d11662c6aaacc6cfca71f5
+ef1e60d0b3c4c700dfdc426e5ba89cd7
+0a1d7fbc81850aa8434ffa576cc40d22
+5a79f27cfb3d5591f3762426fb57e830
+7c55cdd649b9c3214cb0011ee79e46bb
+e8954bf3d3419c3d4c0bc3215a5aaea1
+20f37bbdb2bfe32587b14481feb96c48
+7bc9dee4d05006d73310ffdc81ad3930
+11829420a13baa485b3e7151cfa71873
+83c5ff660f2900677e537f9500579965
+f6421a4f570656ada4a6c953bdd3c342
+1c02a48e8c4bd9e55e2822f19d33382c
+53664b38d7d344faf491935194f69356
+9b9fb0471e5f2ec2bfd826dbbb01beac
+205e62257c8b6b2765f178d2dd50393a
+084f00c843c6261751151f90a4dea25b
+f1dea6b41f85fbe7b692bbb437a0e324
+28d704e3eb39306253000ae258ba7054
+f831f7c75f0296040d3dcca014439fd1
+b93e54a020dfcb1d470c57da2c59e3c5
+426bdeffcf07d1f8228a092ee5846b48
+75184eeada8b9f63ea009bd391b1f05d
+f01a9a2d1e31332ed36c1a4d2839f412
+65d90463f02a1056658a65c49aa22db5
+a33ec2cbdcfa6d011b26ef54f1b0988e
+115df9012ae43d21080d45356abc7fad
+3c0b3cb817b785b428bea6128e32e5b9
+77ac095d9b4f125ba3bd3ad1b581f87d
+9b233f5cc52c2e56522e8a906e7dbde9
+79613f704405531c11762c5797270622
\ No newline at end of file
diff --git a/LuckyMouse/samples.sha1 b/LuckyMouse/samples.sha1
new file mode 100644
index 0000000..1dc1159
--- /dev/null
+++ b/LuckyMouse/samples.sha1
@@ -0,0 +1,34 @@
+379c1741869f9092289cdb1afc0339fa4e4df7d2
+c4d16fda2c098e13daf2677383e3163eae3bad0d
+1dc2cc4b53bf8a63c960f63086c38ff5f0268507
+ed6cecfdaaeb7f41a824757862640c874ef3f7ae
+dead591fa5f3b74e39cc68106bf05aba53b224a3
+075c5c4ab415e9f127862a49aab55589468696a7
+e9280680e44fbb67ecc97a64a30484500e12237c
+f8eaab7c4ea23afef4ee79227a267741bb330cb8
+d285b5df2461a0ca9702c2789bad861340ea3ba9
+f598d34766f3e5c96d4f44f72ea11fa9088df631
+5d22c2aa389c33403aef64b9a600d87db480a729
+fd18154f89c6b4802ad5019f2f2ece8d687b4cda
+5c13c0780f20bd63ee2210c701d76886c97391c6
+1181f666a3962e3068cc77c9a860593f2d172250
+6571ad4133ca7425d2cfb4d36c65f7aebe13ed94
+9489ffef8a4f9e754c6f4108dedae94c8b65d9c7
+b257dd747fbac24f6ecc3c10d1d356d6cef909fc
+0256b9705b2158159f150e0518cd10ea3dec58fa
+060c36e49167148a4066e9612008210f82e84e6b
+6d0f2758d0dfd6904ab853c14fbab1ceaef72dc8
+71103af440611a9afd532c846cf02cff626f244f
+2b2249c7821c7cd0940aa980a8a001997104ba7c
+f7c3ae224745bbfe18e2093fa8a97ece5a12a9d3
+3fe16de0feaa7affd67317563a47a3e39722237a
+6d97d3b809d079aa4dc6f63a42d05c0f947e5ea6
+2e96c6ac11059c87d16e63ecea44e96d0ebe758f
+90da10004c8f6fafdaa2cf18922670a745564f45
+43af6ed5b179797375cbda25ce29534d3b0fad21
+a779f3a5b1762a15e563b503ce8591477827d5ee
+f0f53bdea2ea17a4c749e0f4963deaf0b3c13374
+4e4956a5f6b506361e7387a43784a14616b939f1
+9798c353e84b175f1b2b8b4c67bbdae76ad3d470
+ddf7e1aea76a4d5793ad0eb3ff6f79a169a7e7e0
+27c0b9a9206f1ce46e29d48fd48274f1023e27dd
\ No newline at end of file
diff --git a/LuckyMouse/samples.sha256 b/LuckyMouse/samples.sha256
new file mode 100644
index 0000000..ec244c9
--- /dev/null
+++ b/LuckyMouse/samples.sha256
@@ -0,0 +1,34 @@
+0791d3496c966858fbde1c98d189d53bbf478f7cc2a3a3f3876eb56f42f0f36f
+0f11d142064c98c35258ad7e761b66980faa7fbc34ced687689b774e6b0c6efe
+0f9657438fd7a3917b1a9e4026d5b2d9c92184582270657febe67bec73d88da6
+119c220303d57c7d7fc14cd971411fcfc2b09258ccb8c1495de0b33b02342541
+11b680737eb744867f8194d0997b0b694dbe2d5efdbcef88d404b1f79b7f7b7a
+1ec731e955957fd06c42692bae06c2ec13a39fe206ed65a5f145ae26d561c6bc
+247834006f766c942184f74757552b8ff243ec47892240329d23e80a88151605
+268945fdf918ef6cb9863072bb898d1019c0911d4bc3beb60a8a6f63d958d2a6
+2d2ea3002c367684f21ad08bdc9b5079ebdee08b6356ac5694efa139d4c6e60d
+2f81a30c205ed7bca253fd5d14c164cba0fe5ccb63d0a6ce29abf324a1fd4814
+37286285cb0f8305bd23a693b2e7ace71538e4c0b9f13ee6ca4e9e9419657813
+3cf29801bb08c335b97b7fbef86df085ea848d6a6cc0790cccfcecace07879cb
+56abd939abcc49570ab00eb4c5b0898c37549afd8539f4c8b7239530889807d1
+5d1732094eeaddb74017bda0befc1379817d19bd0093fd4fa2ffdc2d146c24a9
+5d953d887abf65fa7c8d3a2336b6ec8e510b1019819e93a6cfc0d767b0c89a4c
+6834cd58e413b46fe627fec2218e5fadb1ef15e4ce6259e5812c0de4062d005b
+6a2083fe6a1046fc108d09656d8a062500bfb9f5475f969a8c586699e0d5363a
+76538110c1207e47674bd7561aea5cd41c8ddf7228a3fb141c70e7193ec04cd2
+7807c0177cf37bce6e38ef534f804935f505a24d735baa53a18e2da766ec136b
+7c9257945f61d0f807064aa3bcee04192e5396784dde4c258d82bf3dbddc2708
+8eb83d8739bf93d182acdef104d212f028fc1bd70336b22e4dcd41896bb580d1
+b2b744525989fb2ad99ed2652351fca150589c5f3decaf8e69f6abcd325f88b5
+b861eab09daec59d5bea634b1ecf0edad17f819dc381dfd472fd23b4d9412c40
+be2db9eb879b54c1c7220cf858ea3a4bd31e2474f3be13d5abea2a0c1c24ca4b
+c0c5c4eae6122eea65f5b3d0edecedb7240b47160b110019f4092572dbb28b67
+c76ff6352464cf4c1a548273eaf7d1f5c29f459f9a1762d07264cbd059ed0701
+c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
+da21aa6710528b9267833e2ef2e7974f5e7d32f02201fb63326fea174926e78f
+dddffad08343309561583f4aed1314949873e447e9badb7b9619c36b0d96f9d6
+ead61053881b4b6531b1610ad6a41096f181d2793a0efc353d5b92b92548a2f4
+f2343499e127cb3df917ae139d1a300233ebe8d83c43d41fc925640b47ccbba4
+f7df1b0b031bb5ce55a6dedc83238838939a3df6754dfc672302033bda6c43ec
+f8da8ead6e74e93482c8c4857783bbff13e17930c924d4b450e978a97cbfa4ed
+fab3a7e9708f750156bfa42dc5b8cf94fb24299aaf57b27023cd447a3d654ead
\ No newline at end of file