IoC MD5 – a714b928bbc7cd480fed85e379966f95 (VT: 43/72) : AndarLoader (%SystemDirectory%\SVPNClientW.exe)
– 4f1b1124e34894398aa423200a8ab894 (VT: 43/72) : KeyLogger (%USERPROFILE%\documents\kerberos.tmp, %USERPROFILE%\kl.exe, %SystemDirectory%\dllhostsvc.exe)
– 2c69c4786ce663e58a3cc093c6d5b530 (VT: 0) : ModeLoader
– 29efd64dd3c7fe1e2b022b7ad73a1ba5 (VT: 64/73) : Mimikatz (%USERPROFILE%\mimi.exe)
C&C 주소 – privacy.hopto[.]org:443 : AndarLoader – privatemake.bounceme[.]net:443 : AndarLoader – 84.38.129[.]21 : MeshAgent – hxxp://www.ipservice.kro[.]kr/index.php : ModeLoader – hxxp://www.ipservice.kro[.]kr/view.php : ModeLoader – hxxp://www.ipservice.kro[.]kr/modeRead.php : ModeLoader – hxxp://panda.ourhome.o-r[.]kr/view.php : ModeLoader – hxxp://panda.ourhome.o-r[.]kr/modeRead.php : ModeLoader – hxxp://panda.ourhome.o-r[.]kr/modeView.php : ModeLoader – hxxp://www.mssrv.kro[.]kr/view.php : ModeLoader – hxxp://www.mssrv.kro[.]kr/modeView.php : ModeLoader – hxxp://www.mssrv.kro[.]kr/modeRead.php : ModeLoader – hxxp://www.mssrv.kro[.]kr/modeWrite.php : ModeLoader