This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see



This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as BISTROMATH. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]

DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report looks at multiple versions of a full-featured RAT implant executable and multiple versions of the CAgent11 GUI implant controller/builder. These samples performs simple XOR network encoding and are capable of many features including conducting system surveys, file upload/download, process and command execution, and monitoring the microphone, clipboard, and the screen. The GUI controllers allow interaction with the implant as well as the option to dynamically build new implants with customized options. The implants are loaded with a trojanized executable containing a fake bitmap which decodes into shellcode which loads the embedded implant.

For a downloadable copy of IOCs, see MAR-101265965-1.v1.stix.

Submitted Files (5)

04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30 (96071956D4890AEBEA14ECD8015617…)

1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 (688890DDBF532A4DE7C83A58E6AA59…)

618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6 (0AE8A7B6B4D70C0884095629FC02C1…)

738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 (C51416635E529183CA5337FADE8275…)

b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32 (26520499A3FC627D335E34586E99DE…)

Additional Files (2)

133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f (a21171923ec09b9569f2baad496c9e…)

43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c (83833f8dbdd6ecf3a1212f5d1fc3d9…)

IPs (1)





Name 688890DDBF532A4DE7C83A58E6AA594F
Name ss.exe
Size 1102926 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 688890ddbf532a4de7c83a58e6aa594f
SHA1 d8f6a7f32c929ce9458691447ff1cf6d180588c8
SHA256 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39
SHA512 8484bea6adf27c2323632c3e94f91eb313e341622b5696b0d24105be1f24fa356f5fceb8fcf691e2d309fd24f7d8bb41fd7b682c29193128a0ed55e9ef3df3b1
ssdeep 24576:kgWxnOH3vvS+7nD03glQ1J6cS2lvyip5HkRpB7T4IRMh3y:kgWZMvSKnY3DJLSoORT7ThAC
Entropy 7.951069
Ahnlab Trojan/Win32.Bmdoor
Antiy Trojan[Backdoor]/Win32.Androm
Avira TR/Injector.ukfuc
BitDefender Trojan.GenericKD.41987827
ClamAV Win.Trojan.Agent-7376538-0
Cyren W32/Trojan.IZTF-2035
ESET a variant of Win32/Injector.DQTY trojan
Emsisoft Trojan.GenericKD.41987827 (B)
Ikarus Trojan.Win32.Injector
K7 Riskware ( 0040eff71 )
McAfee Trojan-Injector.c
Microsoft Security Essentials Trojan:Win32/Agentesla!MTB
NANOAV Trojan.Win32.Androm.ghyuau
Sophos Troj/Inject-ETF
Symantec Backdoor.Tidserv
Systweak trojan.injector
TACHYON Backdoor/W32.Androm.1102926
TrendMicro TROJ_FR.7170E263
TrendMicro House Call TROJ_FR.7170E263
VirusBlokAda Backdoor.Androm
Zillya! Backdoor.Androm.Win32.44606
YARA Rules
  • rule CryptographyFunction    
           author = “CISA trusted 3rd party”
           incident = “10271944.r1.v1”
           date =    “2019-12-25”
           category = “Hidden_Cobra”
           family = “HOTCROISSANT”
           $ALGO_crypto_1 = { 8A [1-5] 32 [1-4] 32 [1-4] 32 [1-4] 88 [1-5] 8A [1-4] 32 [1-4] 22 [1-4] 8B [1-5] 8D [3-7] 33 [1-4] 81 [3-7] C1 [1-5] C1 [1-5] 0B [1-4] 8D [1-5] 33 [1-4] 22 [1-4] C1 [1-5] 33 [1-4] 32 [1-4] 8B [1-4] 83 [1-5] C1 [1-5] 33 [1-4] C1 [1-5] C1 }
           uint16(0) == 0x5A4D and any of them
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2008-01-17 10:34:19-05:00
Import Hash 68d3c5fd0c41042f190fa12a4eebfe1b
PE Sections
MD5 Name Raw Size Entropy
0b8ab9af886c4161371944bd46af685d header 1024 2.484025
0cc984b88cda683bad52d886fbadf22d .text 77824 6.585222
d7200a9095f81e46d89eb2175a7d16ba .rdata 21504 4.940483
56eae295cdc645a889cc51643c19ca1c .data 5632 3.200450
31d4e62663767a64bd72b957df2bed2e .rsrc 1536 4.029623
c7a9818fe1b1f64be18f67db25dbed6d .reloc 7680 4.982554
1ea6b3e99b… Connected_To
1ea6b3e99b… Contains 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c

The samples use a ‘RichEdit example’ executable to obfuscate calling a decryption function which decrypts an embedded ‘fake’ bitmap image into the configuration and shellcode. When the malicious function is called, it deobfuscates API pointers, loads the full file into memory, calculates an offset into the memory to a ‘fake’ bitmap image, decodes the image; which becomes configuration options and shellcode and then executes the shellcode.

The embedded shellcode has many selectable options.

———-Begin Shellcode Options———-
– option00: Embedded vs Downloaded payload
   0 -> payload embedded within own file at offset (option27 + option28 + option22)
   1 -> Download payload from url <option30> to %temp$<option31>RGID3D88.tmp

– option01: True -> check for vm artifacts:
   registry checks:
       VMWARE Scsi device
       VBOX Scsi device
       QEMU Scsi device
       HARDWAREDescriptionSystemSystemBiosVersion == “VBOX”
       HARDWAREDescriptionSystemSystemBiosVersion == “QEMU”
       HARDWAREDescriptionSystemSystemBiosVersion == “BOCHS”
       HARDWAREDescriptionSystemVideoBiosVersion == “VIRTUALBOX”
       HARDWAREDescriptionSystemSystemBiosDate == 06/23/99
   file checks:
   Network Adapter checks:
       Check for Vmware MAC addresses
       Check for VirtualBox MAC addresses
       Check for VMware network adapter
   Window Checks:
   Process Checks:
   Loaded DLLs:

– option02: True -> check for sandbox artifacts:
   Verify spin loops aren’t skipped
   Verify kernel32 doesn’t contain export “wine_get_unix_file_name”
   Verify Numa api calls are not bypassed
   Loaded DLLs:
   registry checks:
   file checks:
   username checks:
   current directory checks:

– option03: True -> check for debugging artifacts:    
   API calls:

– option04: Check if certain processes are running:
   0 -> ignored
   1 -> exit if specific processes are running
   2 -> exit if specific processes are not running
   parses option31_array_+0x200 for a list of ;,: separated process names

– option05: Queries SoftwareMicrosoftWindowsCurrentVersionUninstall keys
   exits if return value is != 0

– option06: Check for specific languages
   0 -> ignored
   1 -> exit if current language is found in list
   2 -> exit if current language is not found in list
   parses option31_array_+0x4b0 for a list of ;,: separated languages

– option07: Check for specific usernames
   0 -> ignored
   1 -> exit if current username is found in list
   2 -> exit if current username is not found in list
   parses option31_array_+0x6b8 for a list of ;,: separated usernames

– option08: Check for specific computernames
   0 -> ignored
   1 -> exit if current computernames is found in list
   2 -> exit if current computernames is not found in list
   parses option31_array_+0x8ac for a list of ;,: separated computernames

– option09: Something with querying SoftwareMicrosoftWindowsCurrentVersionUninstall keys
   exits if return value is < option09_value

– option10: integer value -> exits if there are fewer than this many processes running

– option11-14: Check for system/drive info
   11==0x001 -> exit if number of processors <= option12
   11==0x010 -> exit if total physical memory <= option13
   11==0x100 -> exit if total harddisk space <= option14

– option12/27/28: if True -> exploit dll hijack in cliconfg.exe (SQL Server Client Network Utility)
   dumps a number (option28) of bytes from an offset (option27) of this file into %temp%ntwdblib.dll
   creates a SoftwareClaiomh registry key
   executes cliconfg.exe (which loads ntwdblib.dll)

– option16: Set EnableLUA registry key
   SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA to <option16>

– option17: Create Persistence
   0 -> ignored
   1 -> Add registry key to SoftwareMicrosoftWindowsCurrentVersionRun using a name from option31_array_+0x960
   2 -> Copy self into Startup folder
   3 -> Create an hourly Scheduled Task called “System Backup”

– option18/23: Process Hollowing vs Drop/Execute
   == 0 -> Do Process Hollowing
   != 0 -> Dump payload to file and execute directly:
       write to %temp%RT5380.exe using own file offset (option27 + option28 + option22) and execute
       write to %temp%<option30> using own file offset (option27 + option28 + option22) and execute
       check option23:
– ==0 -> ignored
– !=0 -> delete self and replace self with the dropped file

– option19: Process to create/hollow/inject/execute
   0 -> self
   1 -> svchost.exe
   2 -> conhost.exe
   3 -> explorer.exe
   4 -> value of “httpshellopencommand” registry key
   5 -> <option33>

– option20: Sleep timer
   Milliseconds to sleep before doing process hollowing

– option21/26: Kill timer
   0 -> ignored
   1 -> if timestamp of module + <option26> >= currentTime -> remove persistance, delete self, exit process

– option29/34/35: move file to desired location, delete old file, and execute from new location
   additional path is in option34
   new filename is in option35
   0 -> C:
   1 -> %windir%
   2 -> %system%
   3 -> %programfiles%
   4 -> %programfiles%Common Files
   5 -> C:ProgramData
   6 -> %userprofile%
   7 -> %userprofile%Documents
   8 -> %temp%
   9 -> %userprofile%Favorites
   10 -> %appdata%n
   11 -> %localappdata%

– option36: char[40] – Unknown – Possibly adds a mutex to the hollowed process to enforce a single execution
   Uses argument to create a named mutex
   Injects additional code into the hollowed process (from offset 0x28c0)
   Injects <option36> into the hollowed process
   Creates another remote thread in the hollowed process pointing at offset 0x465a of the newly injected memory
———-End Shellcode Options———-