Pulse Detail — Threat Intelligence

PULSE NAME

Kimsuky abuses a valid certificate to distribute TrollAgent

WHITE Kimsuky AlienVault 2024-02-19 Modified: 2024-02-19

IOCs

HIGH VOLUME

A malicious TrollAgent malware was found to be downloaded when attempting to install security software from a South Korean construction association website. The malware can steal information and receive commands from attackers. Users should keep antivirus software updated to prevent infection.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1071 T1140 T1566 T1027 T1056

MALWARE FAMILIES

TrollAgent

Indicators of Compromise (85)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	013c4ee2b32511b11ee9540bb0fdb9d1	—	2024-02-19
FileHash-MD5	035cf750c67de0ab2e6228409ac85ea3	—	2024-02-19
FileHash-MD5	19c2decfa7271fa30e48d4750c1d18c1	—	2024-02-19
FileHash-MD5	27ef6917fe32685fdf9b755eb8e97565	—	2024-02-19
FileHash-MD5	2aaa3f1859102aab35519f0d4c1585dd	—	2024-02-19
FileHash-MD5	2b678c0f59924ca90a753daa881e9fd3	—	2024-02-19
FileHash-MD5	4168ff8b0a3e2f7e9c96afb653d42a01	—	2024-02-19
FileHash-MD5	4222492e069ac78a55d3451f4b9b9fca	—	2024-02-19
FileHash-MD5	42ea65fda0f92bbeca5f4535155125c7	—	2024-02-19
FileHash-MD5	6097d030fe6f05ec0249e4d87b6be4a6	—	2024-02-19
FileHash-MD5	62fba369711087ea37ef0b0ab62f3372	—	2024-02-19
FileHash-MD5	7457dc037c4a5f3713d9243a0dfb1a2c	—	2024-02-19
FileHash-MD5	7b6d02a459fdaa4caa1a5bf741c4bd42	—	2024-02-19
FileHash-MD5	87429e9223d45e0359cd1c41c0301836	—	2024-02-19
FileHash-MD5	88f183304b99c897aacfa321d58e1840	—	2024-02-19
FileHash-MD5	8d4af59eebdcda10f3c88049bb097a3a	—	2024-02-19
FileHash-MD5	9360a895837177d8a23b2e3f79508059	—	2024-02-19
FileHash-MD5	9e75705b4930f50502bcbd740fc3ece1	—	2024-02-19
FileHash-MD5	a67cf9add2905c11f5c466bc01d554b0	—	2024-02-19
FileHash-MD5	b532f3dcc788896c4844f36eb6cee3d1	—	2024-02-19
FileHash-MD5	b97abf7b17aeb4fa661594a4a1e5c77f	—	2024-02-19
FileHash-MD5	c8e7b0d3b6afa22e801cacaf16b37355	—	2024-02-19
FileHash-MD5	d67abe980a397a94e1715df6e64eedc8	—	2024-02-19
FileHash-MD5	dc636da03e807258d2a10825780b4639	—	2024-02-19
FileHash-MD5	e4a6d47e9e60e4c858c1314d263aa317	—	2024-02-19
FileHash-SHA1	120891212a78114fe114217012c2a000727e034b	—	2024-02-19
FileHash-SHA1	3d1731fa03f2bb8b3ca74ab49c83923428e58362	—	2024-02-19
FileHash-SHA1	4a705f58918c00431de453d5b5f621fa42ff7169	—	2024-02-19
FileHash-SHA1	4c8b7d968806f8108ccde6ac07a37b8174ac44bf	—	2024-02-19
FileHash-SHA1	4eea45c22881a092ac7a8b0a5379076d5803e83e	—	2024-02-19
FileHash-SHA1	6d531b021b20febf1dafa730582944eb82d9c6f3	—	2024-02-19
FileHash-SHA1	e6be97ca9e79b45c671c6531908f70b353d47994	—	2024-02-19
FileHash-SHA256	2e0ffaab995f22b7684052e53b8c64b9283b5e81503b88664785fe6d6569a55e	—	2024-02-19
FileHash-SHA256	61b8fbea8c0dfa337eb7ff978124ddf496d0c5f29bcb5672f3bd3d6bf832ac92	—	2024-02-19
FileHash-SHA256	6eebb5ed0d0b5553e40a7b1ad739589709d077aab4cbea1c64713c48ce9c96f9	—	2024-02-19
FileHash-SHA256	955cb4f01eb18f0d259fcb962e36a339e8fe082963dfd9f72d3851210f7d2d3b	—	2024-02-19
FileHash-SHA256	a8c24a3e54a4b323973f61630c92ecaad067598ef2547350c9d108bc175774b9	—	2024-02-19
FileHash-SHA256	f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3	—	2024-02-19
FileHash-SHA256	ff3718ae6bd59ad479e375c602a81811718dfb2669c2d1de497f02baf7b4adca	—	2024-02-19
URL	http://ai.aerosp.p-e.kr/index.php	—	2024-02-19
URL	http://ai.bananat.p-e.kr/index.php	—	2024-02-19
URL	http://ai.daysol.p-e.kr/index.php	—	2024-02-19
URL	http://ai.kimyy.p-e.kr/index.php	—	2024-02-19
URL	http://ai.kostin.p-e.kr/index.php	—	2024-02-19
URL	http://ai.limsjo.p-e.kr/index.php	—	2024-02-19
URL	http://ai.negapa.p-e.kr/index.php	—	2024-02-19
URL	http://ai.selecto.p-e.kr/index.php	—	2024-02-19
URL	http://ai.ssungmin.p-e.kr/index.php	—	2024-02-19
URL	http://ar.kostin.p-e.kr/index.php	—	2024-02-19
URL	http://ca.bananat.p-e.kr/index.php	—	2024-02-19
URL	http://ce.aerosp.p-e.kr/index.php	—	2024-02-19
URL	http://coolsystem.co.kr/admin/mail/index.php	—	2024-02-19
URL	http://dl.netup.p-e.kr/index.php	—	2024-02-19
URL	http://li.ssungmin.p-e.kr/index.php	—	2024-02-19
URL	http://ol.negapa.p-e.kr/index.php	—	2024-02-19
URL	http://pe.daysol.p-e.kr/index.php	—	2024-02-19
URL	http://pi.selecto.p-e.kr/index.php	—	2024-02-19
URL	http://qa.jaychoi.p-e.kr/index.php	—	2024-02-19
URL	http://qi.limsjo.p-e.kr/index.php	—	2024-02-19
URL	http://sa.netup.p-e.kr/index.php	—	2024-02-19
URL	http://ve.kimyy.p-e.kr/index.php	—	2024-02-19
URL	http://viewer.appofficer.kro.kr/index.php	—	2024-02-19
domain	coolsystem.co.kr	—	2024-02-19
hostname	ai.aerosp.p-e.kr	—	2024-02-19
hostname	ai.bananat.p-e.kr	—	2024-02-19
hostname	ai.daysol.p-e.kr	—	2024-02-19
hostname	ai.kimyy.p-e.kr	—	2024-02-19
hostname	ai.kostin.p-e.kr	—	2024-02-19
hostname	ai.limsjo.p-e.kr	—	2024-02-19
hostname	ai.negapa.p-e.kr	—	2024-02-19
hostname	ai.selecto.p-e.kr	—	2024-02-19
hostname	ai.ssungmin.p-e.kr	—	2024-02-19
hostname	ar.kostin.p-e.kr	—	2024-02-19
hostname	ca.bananat.p-e.kr	—	2024-02-19
hostname	ce.aerosp.p-e.kr	—	2024-02-19
hostname	dl.netup.p-e.kr	—	2024-02-19
hostname	li.ssungmin.p-e.kr	—	2024-02-19
hostname	ol.negapa.p-e.kr	—	2024-02-19
hostname	pe.daysol.p-e.kr	—	2024-02-19
hostname	pi.selecto.p-e.kr	—	2024-02-19
hostname	qa.jaychoi.p-e.kr	—	2024-02-19
hostname	qi.limsjo.p-e.kr	—	2024-02-19
hostname	sa.netup.p-e.kr	—	2024-02-19
hostname	ve.kimyy.p-e.kr	—	2024-02-19
hostname	viewer.appofficer.kro.kr	—	2024-02-19

References (2)

↗ ↗ https://asec.ahnlab.com/ko/61666/