inicore_v2.3.30.dll

Malware updated 5 months ago (2024-05-04T18:13:43.310Z)
Download STIX
Preview STIX
The malware inicore_v2.3.30.dll is a harmful program designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This particular malware has been identified as a variant of Budworm’s SysUpdate backdoor, referred to as SysUpdate DLL inicore_v2.3.30.dll. This variant was leveraged in an attack described in an advisory published by our team. This malware was previously used in Emissary Panda attacks where it was sideloaded to run the SysUpdate tool. A code comparison between the PYTHON33.dll file uploaded to a webshell and the inicore_v2.3.30.dll file revealed similarities, indicating a possible link between the two. The comparison was illustrated in Figure 9, showing the PYTHON33.dll (right) and inicore_v2.3.30.dll (left), with SHA256: 4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822. The malware uses various keys, including 'Bin' for the payload file name, 'Dll' for the hijacked DLL used to run the payload, and 'OnlineHelp' which stores the Command & Control IP. Other keys include 'Console', 'Group', and 'MD5'. In the samples analyzed, the key values remained consistent, with 'sys.bin.url' for Bin, 'inicore_v2.3.30.dll' for Dll, and 'HjDWr6vsJqfYb89mxxxx' for MD5. These findings suggest that Budworm, also known as LuckyMouse, Emissary Panda, or APT27, has deployed this previously unseen variant of its SysUpdate backdoor.
Description last updated: 2023-10-10T18:31:17.744Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
SysUpdate is a possible alias for inicore_v2.3.30.dll. SysUpdate is a malicious software (malware) predominantly utilized by the Budworm group, also known as APT27, Emissary Panda, LuckyMouse, among other names. This malware variant is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites w
3
Emissary Panda is a possible alias for inicore_v2.3.30.dll. Emissary Panda, also known as APT27, Iron Tiger, Bronze Union, Budworm, Lucky Mouse, and Red Phoenix, is a threat actor linked to China. This group has been involved in cyberespionage activities with the primary goal of stealing intellectual property from organizations in sectors that China perceive
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Budworm Threat Actor is associated with inicore_v2.3.30.dll. Budworm, also known as LuckyMouse or APT 27, is a threat actor that has been associated with various high-profile cyber attacks. This group has been found to utilize tools such as the Korplug backdoor, which is commonly used by multiple Advanced Persistent Threats (APTs) including Budworm and APT41,Unspecified
2
Source Document References
Information about the inicore_v2.3.30.dll Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more