Dalbit (m00nlight): Chinese Hacker Group's APT Attack Campaign - ASEC BLOG
Tags
cmtmf-attack-pattern: Command And Scripting Interpreter Scheduled Task/Job Stage Capabilities
country: China
maec-delivery-vectors: Watering Hole
attack-pattern: Data Authentication Attempt - T1381 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Data From Local System - T1533 Domain Account - T1087.002 Domain Account - T1136.002 Domains - T1583.001 Domains - T1584.001 Email Account - T1087.003 Exfiltration Over Web Service - T1567 Exploitation For Privilege Escalation - T1404 Hardware - T1592.001 Hooking - T1617 Impair Defenses - T1562 Impair Defenses - T1629 Ingress Tool Transfer - T1544 Ip Addresses - T1590.005 Lateral Tool Transfer - T1570 Malware - T1587.001 Malware - T1588.001 Scheduled Task/Job - T1603 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Server Software Component - T1505 Software - T1592.002 Stage Capabilities - T1608 System Services - T1569 Web Service - T1481 Tool - T1588.002 Vulnerabilities - T1588.006 Upload Malware - T1608.001 Access Token Manipulation - T1134 Account Discovery - T1087 Account Manipulation - T1098 Command-Line Interface - T1059 Connection Proxy - T1090 Create Account - T1136 Credential Dumping - T1003 Data From Local System - T1005 Email Collection - T1114 Exploitation For Privilege Escalation - T1068 Hooking - T1179 Indicator Removal On Host - T1070 Remote File Copy - T1105 Network Service Scanning - T1046 Remote Services - T1021 Remote System Discovery - T1018 Scheduled Task - T1053 Screen Capture - T1113 Windows Management Instrumentation - T1047 Web Service - T1102 Connection Proxy Hooking Remote System Discovery Screen Capture
Common Information
Type Value
UUID 7e2f5f2d-dfcd-4455-99cc-c25b3ed4c0a0
Fingerprint b5bcb4df8eb29485
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 13, 2023, 9:06 a.m.
Added to db Feb. 13, 2023, 8:50 a.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Dalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign
Title Dalbit (m00nlight): Chinese Hacker Group's APT Attack Campaign - ASEC BLOG
Detected Hints/Tags/Attributes 199/4/261
Source URLs
RSS Feed
Attributes
Details Type #Events CTI Value
Details Url 2
http://91.217.139.117:8080/1.bat
Details Url 2
http://91.217.139.117:8443/log.ini
Details Url 2
http://175.24.32.228:8888/readme
Details Url 2
http://sk1.m00nlight.top:80
Details Url 2
https://fk.m00nlight.top:443
Details Url 2
https://aa.zxcss.com:443
Details CVE 9
cve-2018-8639
Details CVE 34
cve-2019-1458
Details CVE 81
cve-2017-10271
Details Domain 2
m00nlight.top
Details Domain 285
microsoft.net
Details Domain 397
asp.net
Details Domain 42
co.kr
Details Domain 22
update.zip
Details Domain 13
info.zip
Details Domain 5
startmail.com
Details Domain 27
onionmail.com
Details Domain 2
sk1.m00nlight.top
Details Domain 2
fk.m00nlight.top
Details Domain 3
aa.zxcss.com
Details File 2
conf.aspx
Details File 3
2.aspx
Details File 2
3.aspx
Details File 2
file.aspx
Details File 2
4.asmx
Details File 7
tunnel.aspx
Details File 2
2.asmx
Details File 2
1.asmx
Details File 10
1.aspx
Details File 2
d:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\aa.aspx
Details File 2
d:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\11.aspx
Details File 2
app_web_defaultwsdlhelpgenerator.aspx
Details File 2
sjx_41yb.dll
Details File 2
app_web_ldaj2kwn.dll
Details File 2
modifyregistryhelp.jsp
Details File 2
eee.jsp
Details File 8
error.jsp
Details File 2
123.jsp
Details File 11
test.jsp
Details File 2
aaa.jsp
Details File 2
sb.jsp
Details File 47
index.jsp
Details File 5
update.jsp
Details File 20
shell.jsp
Details File 128
w3wp.exe
Details File 87
java.exe
Details File 21
sqlserver.exe
Details File 24
update.zip
Details File 3
c:\programdata\update.exe
Details File 7
8.txt
Details File 2
c:\programdata\8.ini
Details File 7
frpc.ini
Details File 15
frpc.exe
Details File 2
calc32.exe
Details File 2
c:\windows\debug\winh32.exe
Details File 4
log.ini
Details File 2
c:\windows\debug\log.ini
Details File 5
sp.exe
Details File 2126
cmd.exe
Details File 2
c:\temp\s.bat
Details File 175
update.exe
Details File 14
debug.exe
Details File 25
main.exe
Details File 13
info.exe
Details File 48
agent.exe
Details File 58
test.exe
Details File 2
zabbix.exe
Details File 2
winh32.exe
Details File 2
8080.ini
Details File 2
8.ini
Details File 13
info.zip
Details File 2
frpc__8083.ini
Details File 2
debug.ini
Details File 38
debug.log
Details File 17
debug.txt
Details File 2
frpc__2381.ini
Details File 2
lcx3.exe
Details File 3
lcx.exe
Details File 478
lsass.exe
Details File 2
%systemroot%\temp\duhgghmpert.dmp
Details File 2
%systemroot%\temp\dumpert.dmp
Details File 2
%systemroot%\temp\tarko.dmp
Details File 2
%systemroot%\temp\lsa.txt
Details File 1122
svchost.exe
Details File 2
web_log.dmp
Details File 2
web_log.zip
Details File 61
1.bat
Details File 2
c:\temp\evtlogon.dat
Details File 4
c:\windows\system32\bitlockerwizardelev.exe
Details File 2
%allusersprofile%\badpotatonet4.exe
Details File 8
vmp.exe
Details File 2
%allusersprofile%\sweetpotato.exe
Details File 2
vmp1.exe
Details File 2
%allusersprofile%\lcx.exe
Details File 2
%allusersprofile%\lcx_vp.exe
Details File 2
%systemdrive%\temp\lcx.exe
Details File 2
%systemdrive%\temp\lcx_vp.exe
Details File 2
%systemdrive%\temp\svchost.exe
Details File 95
wevtutil.exe
Details File 8
asp.asp
Details File 4
juicypotato.c4
Details File 4
sweetpotato.c4
Details File 27
agent.c4
Details File 31
generic.c4
Details File 4
exploit.c4
Details File 4
frp.c4
Details md5 2
0359a857a22c8e93bc43caea07d07e23
Details md5 3
85a6e4448f4e5be1aa135861a2c35d35
Details md5 2
4fc81fd5ac488b677a4c0ce5c272ffe3
Details md5 2
c0452b18695644134a1e38af0e974172
Details md5 4
6b4c7ea91d5696369dd0a848586f0b28
Details md5 2
96b23ff19a945fad77dd4dd6d166faaa
Details md5 2
88bef25e4958d0a198a2cc0d921e4384
Details md5 2
c908340bf152b96dc0f270eb6d39437f
Details md5 2
2c3de1cefe5cd2a5315a9c9970277bd7
Details md5 4
e5b626c4b172065005d04205b026e446
Details md5 2
27ec6fb6739c4886b3c9e21b6b9041b6
Details md5 5
612585fa3ada349a02bc97d4c60de784
Details md5 3
21c7b2e6e0fb603c5fdd33781ac84b8f
Details md5 2
c44457653b2c69933e04734fe31ff699
Details md5 4
e31b7d841b1865e11eab056e70416f1a
Details md5 2
69c7d9025fa3841c4cd69db1353179cf
Details md5 2
fca13226da57b33f95bf3faad1004ee0
Details md5 2
af002abd289296572d8afadfca809294
Details md5 3
e981219f6ba673e977c5c1771f86b189
Details md5 2
f978d05f1ebeb5df334f395d58a7e108
Details md5 2
e3af60f483774014c43a7617c44d05e7
Details md5 4
c802dd3d8732d9834c5a558e9d39ed37
Details md5 4
07191f554ed5d9025bc85ee1bf51f975
Details md5 2
61a687b0bea0ef97224c7bd2df118b87
Details md5 5
9fe61c9538f2df492dff1aab0f90579f
Details md5 5
ab9091f25a5ad44bef898588764f1990
Details md5 4
87e5c9f3127f29465ae04b9160756c62
Details md5 4
4bafbdca775375283a90f47952e182d9
Details md5 4
0311ee1452a19b97e626d24751375652
Details md5 2
acacf51ceef8943f0ee40fc181b6f1fa
Details md5 2
3cbea05bf7a1affb821e379b1966d89c
Details md5 2
10f4a1df9c3f1388f9c74eb4cdf24e7c
Details md5 2
b5bdf2de230722e1fe63d88d8f628ebc
Details md5 2
edb685194f2fcd6a92f6e909dee7a237
Details md5 2
e9bd5ed33a573bd5d9c4e071567808e5
Details md5 2
fbae6c3769ed4ae4eccaff76af7e7dfe
Details md5 4
937435bbcbc3670430bb762c56c7b329
Details md5 4
fd0f73dd80d15626602c08b90529d9fd
Details md5 2
29274ca90e6dcf5ae4762739fcbadf01
Details md5 2
784becfb944dec42cccf75c8cf2b97e3
Details md5 2
7307c6900952d4ef385231179c0a05e4
Details md5 2
bcfca13c801608a82a0924f787a19e1d
Details md5 2
75fe1b6536e94aaee132c8d022e14f85
Details md5 2
d6cb8b66f7a9f3b26b4a98acb2f9d0c5
Details md5 2
323a36c23e61c6b37f28abfd5b7e5dfe
Details md5 2
7b40aa57e1c61ecd6db2a1c18e08b0af
Details md5 2
3665d512be2e9d31fc931912d5c6900e
Details md5 2
1aca4310315d79e70168f15930cc3308
Details md5 4
5e0845a9f08c1cfc7966824758b6953a
Details md5 6
9b0e4652a0317e6e4da66f29a74b5ad7
Details md5 2
d8d36f17b50c8a37c2201fbb0672200a
Details md5 2
b998a39b31ad9b409d68dcb74ac6d97d
Details md5 2
d5054ed83e63f911be46b3ff8af82267
Details md5 2
e7b7bf4c2ed49575bedabdce2385c8d5
Details md5 4
f01a9a2d1e31332ed36c1a4d2839f412
Details md5 2
d4d8c9be9a4a6499d254e845c6835f5f
Details md5 4
4eb5eb52061cc8cf06e28e7eb20cd055
Details md5 2
0cc22fd05a3e771b09b584db0a161363
Details md5 4
8de8dfcb99621b21bf66a3ef2fcd8138
Details md5 4
df8f2dc27cbbd10d944210b19f97dafd
Details md5 2
2866f3c8dfd5698e7c58d166a5857e1e
Details md5 2
cbee2fd458ff686a4cd2dde42306bba1
Details md5 2
3dc8b64b498220612a43d36049f055ab
Details md5 3
31c4a3f16baa5e0437fdd4603987b812
Details md5 2
b33a27bfbe7677df4a465dfa9795ff4a
Details md5 7
7d9c233b8c9e3f0ea290d2b84593c842
Details md5 2
c4f18576fd1177ba1ef54e884cb7a79d
Details md5 2
5d33609af27ea092f80aff1af6ddf98d
Details md5 4
622f060fce624bdca9a427c3edec1663
Details md5 2
1f2432ec77b750aa3e3f72c866584dc3
Details md5 2
d331602d190c0963ec83e46f5a5cd54a
Details md5 2
21d268341884c4fc62b5af7a3b433d90
Details md5 2
6a20945ae9f7c9e1a28015e40758bb4f
Details md5 2
a29f39713ce6a92e642d14374e7203f0
Details md5 2
7ce988f1b593e96206a1ef57eb1bec8a
Details md5 2
fc9abba1f212db8eeac7734056b81a6e
Details md5 3
9f55b31c66a01953c17eea6ace66f636
Details md5 3
33129e959221bf9d5211710747fddabe
Details md5 2
48b99c2f0441f5a4794afb4f89610e48
Details md5 2
28e026b9550e4eb37435013425abfa38
Details md5 2
2ceabffe2d40714e5535212d46d78119
Details md5 2
c72750485db39d0c04469cd6b100a595
Details md5 2
68403cc3a6fcbeb9e5e9f7263d04c02f
Details md5 2
52ff6e3e942ac8ee012dcde89e7a1116
Details md5 2
d82481e9bc50d9d9aeb9d56072bf3cfe
Details md5 2
22381941763862631070e043d4dd0dc2
Details md5 2
6b5bccf615bf634b0e55a86a9c24c902
Details md5 2
942d949a28b2921fb980e2d659e6ef75
Details md5 2
059d98dcb83be037cd9829d31c096dab
Details md5 2
cca50cdd843aa824e5eef5f05e74f4a5
Details md5 2
f6f0d44aa5e3d83bb1ac777c9cea7060
Details md5 2
0ca345bc074fa2ef7a2797b875b6cd4d
Details md5 2
f6da8dc4e1226aa2d0dabc32acd06915
Details md5 2
0bbfaea19c8d1444ae282ff5911a527b
Details md5 2
a69d3580921ec8adce64c9b38ac3653a
Details md5 2
c4e39c1fc0e1b165319fa533a9795c44
Details md5 3
fb6bf74c6c1f2482e914816d6e97ce09
Details md5 2
678dbe60e15d913fb363c8722bde313d
Details md5 3
e0f4afe374d75608d604fbf108eac64f
Details md5 4
f5271a6d909091527ed9f30eafa0ded6
Details md5 2
ae8acf66bfe3a44148964048b826d005
Details md5 5
6983f7001de10f4d19fc2d794c3eb534
Details md5 2
fcb7f7dab6d401a17bd436fc12a84623
Details md5 6
bb8bdb3e8c92e97e2f63626bc3b254c4
Details md5 2
80f421c5fd5b28fc05b485de4f7896a1
Details md5 4
a03b57cc0103316e974bbb0f159f78f6
Details md5 2
46f366e3ee36c05ab5a7a319319f7c72
Details md5 2
7bd775395b821e158a6961c573e6fd43
Details md5 3
b434df66d0dd15c2f5e5b2975f2cfbe2
Details md5 2
c17cfe533f8ce24f0e41bd7e14a35e5e
Details md5 3
011cedd9932207ee5539895e2a1ed60a
Details md5 2
bc744a4bf1c158dba37276bf7db50d85
Details md5 2
23c0500a69b71d5942585bb87559fe83
Details md5 3
53271b2ab6c327a68e78a7c0bf9f4044
Details md5 2
c87ac56d434195c527d3358e12e2b2e0
Details IPv4 2
103.118.42.208
Details IPv4 2
91.217.139.117
Details IPv4 1441
127.0.0.1
Details IPv4 2
205.185.122.95
Details IPv4 2
175.24.32.228
Details IPv4 2
45.136.186.19
Details IPv4 2
45.136.186.175
Details IPv4 2
45.93.31.122
Details IPv4 2
45.93.31.75
Details IPv4 2
45.93.28.103
Details IPv4 2
101.43.121.50
Details MITRE ATT&CK Techniques 695
T1059
Details MITRE ATT&CK Techniques 310
T1047
Details MITRE ATT&CK Techniques 78
T1569
Details MITRE ATT&CK Techniques 480
T1053
Details MITRE ATT&CK Techniques 86
T1136
Details MITRE ATT&CK Techniques 67
T1505
Details MITRE ATT&CK Techniques 112
T1098
Details MITRE ATT&CK Techniques 116
T1134
Details MITRE ATT&CK Techniques 208
T1068
Details MITRE ATT&CK Techniques 289
T1003
Details MITRE ATT&CK Techniques 243
T1018
Details MITRE ATT&CK Techniques 168
T1046
Details MITRE ATT&CK Techniques 235
T1562
Details MITRE ATT&CK Techniques 247
T1070
Details MITRE ATT&CK Techniques 159
T1021
Details MITRE ATT&CK Techniques 118
T1570
Details MITRE ATT&CK Techniques 534
T1005
Details MITRE ATT&CK Techniques 89
T1114
Details MITRE ATT&CK Techniques 219
T1113
Details MITRE ATT&CK Techniques 126
T1567
Details MITRE ATT&CK Techniques 152
T1090
Details MITRE ATT&CK Techniques 492
T1105
Details MITRE ATT&CK Techniques 472
T1486
Details MITRE ATT&CK Techniques 49
T1608.001
Details Url 4
http://www.ive***.co.kr/uploadfile/ufaceimage/1/update.zip
Details Url 2
http://121.167.***.***/temp/8.txt
Details Url 2
http://103.118.42.208:8080/frpc.exe
Details Url 2
http://91.217.139.117:8080/calc32.exe
Details Url 2
http://91.217.139.117:8001/log.ini