Lorec53组织分析报告-攻击活动部分 – 绿盟科技技术博客
Tags
country: Georgia
attack-pattern: Model
Show in Graph
Common Information
Type Value
UUID b85148be-4de6-4473-bc09-010be60389a1
Fingerprint 6f506576f2e2edb7
Analysis status DONE
Considered CTI value 0
Text language
Published Aug. 5, 2021, 11:06 a.m.
Added to db Sept. 26, 2022, 9:34 a.m.
Last updated Nov. 18, 2024, 2:38 a.m.
Headline Lorec53组织分析报告-攻击活动部分
Title Lorec53组织分析报告-攻击活动部分 – 绿盟科技技术博客
Detected Hints/Tags/Attributes 12/2/69
Source URLs
Redirection Url
Details Source http://blog.nsfocus.net/lorec-53/
URL Provider
Details Provider Source level domain
Details nsfocus.net blog.nsfocus.net
Attributes
Details Type #Events CTI Value
Details Domain 318 
bit.ly
Details Domain 1 
mohge.xyz
Details Domain 2 
shcangjia.com
Details Domain 12 
gov.ua
Details Domain 27 
cutt.ly
Details Domain 3 
1924.site
Details Domain 4 
bitcoin.zip
Details Domain 2 
gosloto.site
Details Domain 1 
model.com
Details Domain 4 
name1d.site
Details Domain 3 
newcovid-21.zip
Details Domain 21 
alibaba.com
Details Domain 3 
1833.site
Details Domain 190 
asec.ahnlab.com
Details Domain 2 
www.meng-model.com
Details Domain 2 
www.fao.org
Details Domain 2 
georgia.idp.arizona.edu
Details Domain 1373 
twitter.com
Details Email 1 
相关域名的注册者为fed****kar@rambler.ru
Details Email 1 
关联事件中出现的域名中2315.site和1833.site注册者为同账号fed****kar@rambler.ru
Details Email 1 
1000020.xyz注册者为hro****1995@rambler.ru
Details File 1 
lorec53组织的攻击者投递了名为confirmation.zip
Details File 1 
名为g-1081p.pdf
Details File 2 
confirm.doc
Details File 7 
install.txt
Details File 2 
upd03212.exe
Details File 1 
上述url地址中的upd03212.exe
Details File 3 
30.pdf
Details File 4 
bitcoin.zip
Details File 1 
该bitcoin.zip
Details File 1 
pasword.txt
Details File 2 
09042021.exe
Details File 2 
form_request.doc
Details File 10 
index.txt
Details File 3 
newcovid-21.zip
Details File 1 
signed.pdf
Details File 3 
covid-21.doc
Details File 1 
08042021.exe
Details File 1 
georgia.pdf
Details File 3 
georgia_private_sector_poster_inputs_06_2021.pdf
Details File 2 
03284983240830433498422239328759576898-390325025958245048474-7494045958540499.pdf
Details File 2 
ცვლილება.doc
Details File 2 
გეგმა.doc
Details File 4 
0407.exe
Details File 2 
gov-ua.inf
Details File 2 
0707a.exe
Details File 2 
adobe_acrobat_reader_dc_update.msi
Details File 2 
cv_ruslana.doc
Details File 2 
gp00973.exe
Details File 2 
227.html
Details Url 1 
http://bit.ly/36fee98,被解析为https://mohge.xyz/install.txt的木马程序
Details Url 1 
http://001000100.xyz/soft/upd03212.exe中的文件并运行
Details Url 1 
http://001000100.xyz/soft/、http://shcangjia.com/uploads/等路径获取后续的攻击载荷
Details Url 1 
http://shcangjia.com/显示为上海仓嘉机电设备有限公司的官方网站
Details Url 1 
https://cutt.ly/mcxg1ft,最终跳转至http://1924.site/doc/bitcoin.zip
Details Url 2 
http://1924.site/soft/09042021.exe
Details Url 1 
https://cutt.ly/wcbtvdf,对应http://gosloto.site/doc/form_request.doc的doc文档
Details Url 1 
http://name1d.site/index.txt对应的恶意可执行程序并运行
Details Url 1 
http://2330.site/soft/08042021.exe对应的可执行程序并运行
Details Url 1 
http://1221.site/15858415841/0407.exe的恶意程序并保存至
Details Url 1 
http://president.gov.ua.administration.vakansiyi.administration.president.gov-ua.info/的水坑站点
Details Url 1 
http://1833.site/0707a.exe的lorecdocstealer程序
Details Url 1 
http://1833.site/的后续攻击载荷
Details Url 1 
http://1833.site/gp00973.exe指向的后续攻击载荷
Details Url 2 
https://asec.ahnlab.com/en/22481
Details Url 2 
http://www.meng-model.com/en/contents/65/227.html
Details Url 2 
http://www.fao.org/faolex/results/details/en/c/lex-faoc202251
Details Url 2 
https://georgia.idp.arizona.edu
Details Url 2 
https://twitter.com/tavaanatech/status/1410327342627667972