# IoC for LuckyMouse

Malware analysis and more technical information at <https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/>


### Table of Contents
* [Samples (SHA-256)](#samples-sha-256)
* [Network indicators](#network-indicators)

## Samples (SHA-256)
### Backdoor PolPo
```
1EC731E955957FD06C42692BAE06C2EC13A39FE206ED65A5F145AE26D561C6BC
0F9657438FD7A3917B1A9E4026D5B2D9C92184582270657FEBE67BEC73D88DA6
FAB3A7E9708F750156BFA42DC5B8CF94FB24299AAF57B27023CD447A3D654EAD
C76FF6352464CF4C1A548273EAF7D1F5C29F459F9A1762D07264CBD059ED0701
```

### Bacdkoor LuckyBack
```
119C220303D57C7D7FC14CD971411FCFC2B09258CCB8C1495DE0B33B02342541
7807C0177CF37BCE6E38EF534F804935F505A24D735BAA53A18E2DA766EC136B
6A2083FE6A1046FC108D09656D8A062500BFB9F5475F969A8C586699E0D5363A
```

### Backdoor BlueTraveller
```
0791D3496C966858FBDE1C98D189D53BBF478F7CC2A3A3F3876EB56F42F0F36F
B2B744525989FB2AD99ED2652351FCA150589C5F3DECAF8E69F6ABCD325F88B5 (dropper)
``` 

### RAT HyperBro
```
2D2EA3002C367684F21AD08BDC9B5079EBDEE08B6356AC5694EFA139D4C6E60D
``` 

### RAT Korplug
```
F2343499E127CB3DF917AE139D1A300233EBE8D83C43D41FC925640B47CCBBA4 (http_dll.dat)
```

### Information Collector
```
56abd939abcc49570ab00eb4c5b0898c37549afd8539f4c8b7239530889807d1
6834CD58E413B46FE627FEC2218E5FADB1EF15E4CE6259E5812C0DE4062D005B
c0c5c4eae6122eea65f5b3d0edecedb7240b47160b110019f4092572dbb28b67
```

### Data extractor 1
```
F8DA8EAD6E74E93482C8C4857783BBFF13E17930C924D4B450E978A97CBFA4ED
```

### Data extractor 2
```
76538110C1207E47674BD7561AEA5CD41C8DDF7228A3FB141C70E7193EC04CD2
BE2DB9EB879B54C1C7220CF858EA3A4BD31E2474F3BE13D5ABEA2A0C1C24CA4B
```

### ShellCodeExecutor
```
3CF29801BB08C335B97B7FBEF86DF085EA848D6A6CC0790CCCFCECACE07879CB
```

### StartService 
```
b861eab09daec59d5bea634b1ecf0edad17f819dc381dfd472fd23b4d9412c40
7C9257945F61D0F807064AA3BCEE04192E5396784DDE4C258D82BF3DBDDC2708
```

### ServiceInstaller
```
DDDFFAD08343309561583F4AED1314949873E447E9BADB7B9619C36B0D96F9D6
```

### UAC Bypass
```
268945FDF918EF6CB9863072BB898D1019C0911D4BC3BEB60A8A6F63D958D2A6
```

### Lazagne
```
5D953D887ABF65FA7C8D3A2336B6EC8E510B1019819E93A6CFC0D767B0C89A4C
F7DF1B0B031BB5CE55A6DEDC83238838939A3DF6754DFC672302033BDA6C43EC
```

### Mimikatz
```
37286285CB0F8305BD23A693B2E7ACE71538E4C0B9F13EE6CA4E9E9419657813
11B680737EB744867F8194D0997B0B694DBE2D5EFDBCEF88D404B1F79B7F7B7A
EAD61053881B4B6531B1610AD6A41096F181D2793A0EFC353D5B92B92548A2F4
8EB83D8739BF93D182ACDEF104D212F028FC1BD70336B22E4DCD41896BB580D1
```

### PortScanner 
```
2F81A30C205ED7BCA253FD5D14C164CBA0FE5CCB63D0A6CE29ABF324A1FD4814
```

### Nbtscan
```
C9D5DC956841E000BFD8762E2F0B48B66C79B79500E894B4EFA7FB9BA17E4E9E
DA21AA6710528B9267833E2EF2E7974F5E7D32F02201FB63326FEA174926E78F
```


### Earthworm
```
0f11d142064c98c35258ad7e761b66980faa7fbc34ced687689b774e6b0c6efe
5D1732094EEADDB74017BDA0BEFC1379817D19BD0093FD4FA2FFDC2D146C24A9 (VM protected)
```

### FRP
```
247834006F766C942184F74757552B8FF243EC47892240329D23E80A88151605
```

## Network indicators
### C&C servers
```
202.179.0[.]142 8000
202.179.0[.]142 8080
202.179.5[.]161 443
202.179.5[.]85 8080
202.179.5[.]43 443
203.91.119[.]4 8000
202.59.9[.]58 80 
139.180.208[.]225
202.59.9[.]58 80 8443
106.13.149[.]126 443
139.180.208[.]225 443
139.180.155[.]133 80
45.77.55[.]145
oss.chrome-upgrade[.]com
go.vegispaceshop[.]org
web.microlynconline[.]com:80
home.microlynconline[.]com:8000
help.microlynconline[.]com:443
host.microlynconline[.]com:53

```