ioc[.]one - OSINT Cyber Threat Intelligence Database

Tracking the entire iceberg – long‑term APT malware C2 protocol emulation and scanning

Show in Graph

Common Information

Type	Value
UUID	5d81af78-151a-4809-a65b-1281ec94ced9
Fingerprint	9fc78dded96b54f8fff6ed3f5318975e5a698e504386ed8086d63b0997beccdb
Analysis status	DONE
Considered CTI value	2
Text language
Published	Sept. 19, 2022, 7 p.m.
Added to db	April 14, 2024, 3:15 a.m.
Last updated	Aug. 31, 2024, 5:16 a.m.
Headline	Tracking the entire iceberg – long‑term APT malware C2 protocol emulation and scanning
Title	Tracking the entire iceberg – long‑term APT malware C2 protocol emulation and scanning
Detected Hints/Tags/Attributes	94/3/101

Source URLs

	Redirection	Url
Details	Source	https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf

URL Provider

Details	Provider	Source level domain
Details	virusbulletin.com	www.virusbulletin.com

Attributes

Details	Type	#Events	Value
Details	Domain	20	vmware.com
Details	Domain	247	www.virusbulletin.com
Details	Domain	4	wwa1we.wbew.amazon-corp.wikaba.com
Details	Domain	3	c2fs.py
Details	Domain	25	content.fireeye.com
Details	Domain	11	www.novetta.com
Details	Domain	26	www.jpcert.or.jp
Details	Domain	37	blogs.vmware.com
Details	Domain	16	www.hex-rays.com
Details	Domain	262	www.welivesecurity.com
Details	Domain	604	www.trendmicro.com
Details	Domain	4127	github.com
Details	Domain	47	go.recordedfuture.com
Details	Domain	124	www.sentinelone.com
Details	Domain	19	www.pwc.co.uk
Details	Domain	268	www.virustotal.com
Details	Domain	1	www.quicklz.com
Details	Domain	3	st.drweb.com
Details	Domain	46	jsac.jpcert.or.jp
Details	Domain	58	www.shodan.io
Details	Domain	61	censys.io
Details	Domain	2	api.shodan.io
Details	Domain	2	support.torproject.org
Details	Domain	3	mullvad.net
Details	Email	1	tharuyama@vmware.com
Details	File	3	validate_cookie.py
Details	File	2	internet_c2_scan.py
Details	File	103	test.txt
Details	File	2	sp_scan_auto_202206xx_xxxxxx.csv
Details	File	3	c2fs.py
Details	File	3	query.txt
Details	File	1	game-130410.pdf
Details	File	4	novetta_winntianalysis.pdf
Details	File	2	jsac2018_09_yanagishita-takeuchi.pdf
Details	File	1	malware-4-0.html
Details	File	2	debugging_appcall.pdf
Details	File	1	winnti-abuses-github.html
Details	File	1	using-protocol-emulation-part2-winnti-4-0.html
Details	File	1	monitoring-winnti-4-0-c2-servers-for-two-years.html
Details	File	5	campaign.html
Details	File	1	cta-2021-0921.pdf
Details	File	4	chasing-shadows.html
Details	File	3	1_en.pdf
Details	File	4	jsac2021_301_shui-leon_en.pdf
Details	Github username	3	zmap
Details	Github username	7	carbonblack
Details	sha1	3	640abefb16d2ce36e7e83e1b8bef31b2500abefb
Details	sha1	2	420f0dabd80fc8f34050b58a5ab00fce420f0dab
Details	sha1	1	d66eee1927424a0c7a30387777fc6b9ed66eee19
Details	sha1	1	26a3f6e045ec98ad6732d27efc1c9cce26a3f6e0
Details	sha256	4	d011130defd8b988ab78043b30a9f7e0cada5751064b3975a19f4de92d2c0025
Details	sha256	2	0a3279bb86ff0de24c2a4b646f24ffa196ee639cc23c64a044e20f50b93bda21
Details	sha256	4	03b7b511716c074e9f6ef37318638337fd7449897be999505d4a3219572829b4
Details	sha256	3	aef610b66b9efd1fa916a38f8ffea8b988c20c5deebf4db83b6be63f7ada2cc0
Details	sha256	3	1ded9878f8680e1d91354cbb5ad8a6960efd6ddca2da157eb4c1ef0f0430fd5f
Details	sha256	2	536def339fefa0c259cf34f809393322cdece06fc4f2b37f06136375b073dff3
Details	sha256	2	9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a
Details	IPv4	2	172.16.24.127
Details	IPv4	2	185.161.211.97
Details	IPv4	2	80.82.67.6
Details	IPv4	2	45.137.10.3
Details	IPv4	2	45.32.248.92
Details	IPv4	3	43.129.188.223
Details	IPv4	3	137.220.185.203
Details	IPv4	4	156.240.104.149
Details	IPv4	3	213.59.118.124
Details	IPv4	2	107.155.50.198
Details	Threat Actor Identifier - APT	522	APT41
Details	Threat Actor Identifier by Recorded Future	8	TAG-28
Details	Url	1	http://172.16.24.127:80
Details	Url	3	http://137.220.185.203:443
Details	Url	3	https://137.220.185.203:443
Details	Url	2	https://content.fireeye.com/apt-41
Details	Url	1	https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-
Details	Url	2	https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
Details	Url	2	https://www.jpcert.or.jp/present/2018/jsac2018_09_yanagishita-takeuchi.pdf
Details	Url	1	https://blogs.vmware.com/security/2019/09/cb-tau-threat-intelligence-notification-winnti-
Details	Url	1	https://www.hex-rays.com/wp-content/uploads/2019/12
Details	Url	1	https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-
Details	Url	15	https://www.trendmicro.com/en_us
Details	Url	1	https://github.com/zmap/zmap.
Details	Url	1	https://blogs.vmware.com/security/2020/02/threat-analysis-active-c2-discovery-
Details	Url	1	https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html
Details	Url	1	https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/operation-harvest-a-deep-dive-into-a-long-term-
Details	Url	2	https://go.recordedfuture.com/hubfs/reports
Details	Url	2	https://www.sentinelone.com/labs/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-
Details	Url	3	https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html
Details	Url	2	https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-
Details	Url	1	https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/.
Details	Url	3	https://www.virustotal.com/gui/file
Details	Url	1	http://www.quicklz.com/.
Details	Url	1	https://st.drweb.com
Details	Url	1	https://st.drweb.com/static
Details	Url	1	https://jsac.jpcert.or.jp
Details	Url	7	https://www.shodan.io/.
Details	Url	1	https://censys.io/.
Details	Url	1	https://api.shodan.io/shodan/ports.
Details	Url	1	https://support.torproject.org/abuse/i-want-to-ban-tor/.
Details	Url	1	https://mullvad.net/en/.
Details	Url	1	https://github.com/zmap/zmap/issues/580.
Details	Url	1	https://github.com/carbonblack/active_c2_ioc_public.