# IoC for LuckyMouse Malware analysis and more technical information at ### Table of Contents * [Samples (SHA-256)](#samples-sha-256) * [Network indicators](#network-indicators) ## Samples (SHA-256) ### Backdoor PolPo ``` 1EC731E955957FD06C42692BAE06C2EC13A39FE206ED65A5F145AE26D561C6BC 0F9657438FD7A3917B1A9E4026D5B2D9C92184582270657FEBE67BEC73D88DA6 FAB3A7E9708F750156BFA42DC5B8CF94FB24299AAF57B27023CD447A3D654EAD C76FF6352464CF4C1A548273EAF7D1F5C29F459F9A1762D07264CBD059ED0701 ``` ### Bacdkoor LuckyBack ``` 119C220303D57C7D7FC14CD971411FCFC2B09258CCB8C1495DE0B33B02342541 7807C0177CF37BCE6E38EF534F804935F505A24D735BAA53A18E2DA766EC136B 6A2083FE6A1046FC108D09656D8A062500BFB9F5475F969A8C586699E0D5363A ``` ### Backdoor BlueTraveller ``` 0791D3496C966858FBDE1C98D189D53BBF478F7CC2A3A3F3876EB56F42F0F36F B2B744525989FB2AD99ED2652351FCA150589C5F3DECAF8E69F6ABCD325F88B5 (dropper) ``` ### RAT HyperBro ``` 2D2EA3002C367684F21AD08BDC9B5079EBDEE08B6356AC5694EFA139D4C6E60D ``` ### RAT Korplug ``` F2343499E127CB3DF917AE139D1A300233EBE8D83C43D41FC925640B47CCBBA4 (http_dll.dat) ``` ### Information Collector ``` 56abd939abcc49570ab00eb4c5b0898c37549afd8539f4c8b7239530889807d1 6834CD58E413B46FE627FEC2218E5FADB1EF15E4CE6259E5812C0DE4062D005B c0c5c4eae6122eea65f5b3d0edecedb7240b47160b110019f4092572dbb28b67 ``` ### Data extractor 1 ``` F8DA8EAD6E74E93482C8C4857783BBFF13E17930C924D4B450E978A97CBFA4ED ``` ### Data extractor 2 ``` 76538110C1207E47674BD7561AEA5CD41C8DDF7228A3FB141C70E7193EC04CD2 BE2DB9EB879B54C1C7220CF858EA3A4BD31E2474F3BE13D5ABEA2A0C1C24CA4B ``` ### ShellCodeExecutor ``` 3CF29801BB08C335B97B7FBEF86DF085EA848D6A6CC0790CCCFCECACE07879CB ``` ### StartService ``` b861eab09daec59d5bea634b1ecf0edad17f819dc381dfd472fd23b4d9412c40 7C9257945F61D0F807064AA3BCEE04192E5396784DDE4C258D82BF3DBDDC2708 ``` ### ServiceInstaller ``` DDDFFAD08343309561583F4AED1314949873E447E9BADB7B9619C36B0D96F9D6 ``` ### UAC Bypass ``` 268945FDF918EF6CB9863072BB898D1019C0911D4BC3BEB60A8A6F63D958D2A6 ``` ### Lazagne ``` 5D953D887ABF65FA7C8D3A2336B6EC8E510B1019819E93A6CFC0D767B0C89A4C F7DF1B0B031BB5CE55A6DEDC83238838939A3DF6754DFC672302033BDA6C43EC ``` ### Mimikatz ``` 37286285CB0F8305BD23A693B2E7ACE71538E4C0B9F13EE6CA4E9E9419657813 11B680737EB744867F8194D0997B0B694DBE2D5EFDBCEF88D404B1F79B7F7B7A EAD61053881B4B6531B1610AD6A41096F181D2793A0EFC353D5B92B92548A2F4 8EB83D8739BF93D182ACDEF104D212F028FC1BD70336B22E4DCD41896BB580D1 ``` ### PortScanner ``` 2F81A30C205ED7BCA253FD5D14C164CBA0FE5CCB63D0A6CE29ABF324A1FD4814 ``` ### Nbtscan ``` C9D5DC956841E000BFD8762E2F0B48B66C79B79500E894B4EFA7FB9BA17E4E9E DA21AA6710528B9267833E2EF2E7974F5E7D32F02201FB63326FEA174926E78F ``` ### Earthworm ``` 0f11d142064c98c35258ad7e761b66980faa7fbc34ced687689b774e6b0c6efe 5D1732094EEADDB74017BDA0BEFC1379817D19BD0093FD4FA2FFDC2D146C24A9 (VM protected) ``` ### FRP ``` 247834006F766C942184F74757552B8FF243EC47892240329D23E80A88151605 ``` ## Network indicators ### C&C servers ``` 202.179.0[.]142 8000 202.179.0[.]142 8080 202.179.5[.]161 443 202.179.5[.]85 8080 202.179.5[.]43 443 203.91.119[.]4 8000 202.59.9[.]58 80 139.180.208[.]225 202.59.9[.]58 80 8443 106.13.149[.]126 443 139.180.208[.]225 443 139.180.155[.]133 80 45.77.55[.]145 oss.chrome-upgrade[.]com go.vegispaceshop[.]org web.microlynconline[.]com:80 home.microlynconline[.]com:8000 help.microlynconline[.]com:443 host.microlynconline[.]com:53 ```