ioc[.]one - OSINT Cyber Threat Intelligence Database

奇安信威胁情报中心

Tags

attack-pattern:

Javascript - T1059.007 Powershell - T1059.001 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	2939e9b2-1c1f-4294-8524-8fdd28f5f97c
Fingerprint	c9b38b15d4197f87
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 28, 2019, midnight
Added to db	Jan. 18, 2023, 10:39 p.m.
Last updated	Nov. 17, 2024, 5:54 p.m.
Headline	概述
Title	奇安信威胁情报中心
Detected Hints/Tags/Attributes	24/1/75

Source URLs

	Redirection	Url
Details	Source	https://ti.qianxin.com/blog/articles/anatomy-of-moonLight-attack-on-the-middle-east/

URL Provider

Details	Provider	Source level domain
Details	qianxin.com	ti.qianxin.com

Attributes

Details	Type	#Events	Value
Details	Domain	2	fateh.aba.ae
Details	Domain	1	xyzx.zip
Details	Domain	2	adamnews.for.ug
Details	Domain	2	martnews.aba.ae
Details	Domain	2	israanews.zz.com.ve
Details	Domain	403	securelist.com
Details	Domain	11	www.sohu.com
Details	Domain	184	www.fireeye.com
Details	Domain	3	www.script-coding.com
Details	Domain	5	www.vectra.ai
Details	Domain	1	abc.zip
Details	Domain	4	cr.zip
Details	Domain	1	hw.zip.zip
Details	Domain	1	me325noew.zip
Details	Domain	2	mslove.mypressonline.com
Details	Domain	2	new2019.mine.nu
Details	Domain	2	webhoptest.webhop.info
Details	Domain	2	mmksba100.linkpc.net
Details	Domain	2	mmksba.dyndns.org
Details	Domain	1	303030.zip
Details	File	49	nuxt.js
Details	File	1	xyzx.zip
Details	File	1	最终程序将会设置注入的系统进程ctfmon.exe
Details	File	1	然后该程序将会在temp路径下创建img.db
Details	File	2	now-you-see-me-h-worm-by-houdini.html
Details	File	3	dynwrapx_eng.html
Details	File	7	vectra.ai
Details	File	1	abc.zip
Details	File	1	linkshw.txt
Details	File	1	f_skoifa.vbs
Details	File	4	cr.zip
Details	File	1	hw.zip
Details	File	1	me325noew.zip
Details	File	5	webhop.inf
Details	File	1	303030.zip
Details	md5	1	1D3E3E419B174B2C52C7A5485AAAB7E4
Details	md5	1	75ea74251fa57750681c8e6f99696b1b
Details	md5	1	d38592133501622f7a649a2b16d0d1d6
Details	md5	1	74ef1c5905200ea664a603a67554422b
Details	md5	1	9130aa7170a3663cd781010c7261171d
Details	md5	1	0992b87c510d4cd135e02e432fcb492b
Details	md5	1	e2448384afff94f2cc825d0a6c285e35
Details	md5	1	bef000aa7ccfd79b76a645ed60462ed1
Details	md5	1	bf14b74f212cf642c83a34f633732b5d
Details	md5	1	95194b04018a200d1413f501ff31ecf1
Details	md5	1	6e62856152eb198b457487e1eed94d76
Details	md5	1	4fa306739fd3ecc75b0ee202a614061d
Details	IPv4	1	192.119.111.4
Details	IPv4	1	72.21.245.117
Details	IPv4	1	94.102.56.143
Details	IPv4	1	85.17.26.65
Details	Threat Actor Identifier - APT-C	8	APT-C-37
Details	Url	1	http://fateh.aba.ae/xyzx.zip
Details	Url	1	https://news.softpedia.com/news/moonlight-apt-uses-h-worm-backdoor-to-spy-on-middle-eastern-targets-509667.shtml
Details	Url	1	https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068
Details	Url	1	http://www.sohu.com/a/252565992_100166177
Details	Url	2	https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html
Details	Url	1	https://www.script-coding.com/dynwrapx_eng.html
Details	Url	1	https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks
Details	Url	1	http://adamnews.for.ug/2020
Details	Url	1	http://fateh.aba.ae/abc.zip
Details	Url	1	http://martnews.aba.ae/linkshw.txt
Details	Url	1	http://192.119.111.4/xx/dv
Details	Url	1	http://192.119.111.4/xx/f_skoifa.vbs
Details	Url	1	http://adamnews.for.ug/hwdownhww
Details	Url	1	http://israanews.zz.com.ve/cr.zip
Details	Url	1	http://72.21.245.117/files/hw.zip.zip
Details	Url	1	http://192.119.111.4/xx/me325noew.zip
Details	Url	1	http://192.119.111.4/xx/f_skoifa.vbs?
Details	Url	1	http://192.119.111.4:4587/is-enum-faf
Details	Url	1	http://192.119.111.4:4587/is-enum-driver
Details	Url	1	http://192.119.111.4:4587/is-ready
Details	Url	1	http://192.119.111.4/xx
Details	Url	1	http://mslove.mypressonline.com/linkshw.txt
Details	Url	24	https://ti.qianxin.com