Konni组织针对虚拟货币行业投递AutoIt恶意软件
Common Information
Type Value
UUID c4e42507-5986-48ae-887c-d62dab3f386e
Fingerprint fdfb457db9a412f9
Analysis status DONE
Considered CTI value 2
Text language
Published March 25, 2024, midnight
Added to db Dec. 19, 2024, 11:44 a.m.
Last updated Dec. 24, 2024, 10:54 a.m.
Headline Konni组织针对虚拟货币行业投递AutoIt恶意软件
Title Konni组织针对虚拟货币行业投递AutoIt恶意软件
Detected Hints/Tags/Attributes 13/1/67
Source URLs
Attributes
Details Type #Events CTI Value
Details Domain 1
settlors.com
Details Domain 1
nasions.com
Details Domain 1
shakuss.com
Details Domain 2
goosess.com
Details Domain 2
stuckss.com
Details Domain 2
oryzanine.com
Details Domain 24
www.genians.co.kr
Details Domain 202
asec.ahnlab.com
Details Domain 6752
163.com
Details File 1
目录后执行其中的start.vbs
Details File 23
start.vbs
Details File 1
启动09402649.bat
Details File 1
09402649.bat
Details File 1
将start.vbs
Details File 1
运行95060869.bat
Details File 1
运行34631202.bat
Details File 1
运行42736915.bat
Details File 1
95060869.bat
Details File 1
调用36980785.bat
Details File 74
get.php
Details File 1
解压后执行其中的1.bat
Details File 1
34631202.bat
Details File 1
调用14886621.bat
Details File 106
upload.php
Details File 1
42736915.bat
Details File 70
list.php
Details File 1
解压后执行其中的temprun.bat
Details File 1
36980785.bat
Details File 1
14886621.bat
Details File 1
当36980785.bat
Details File 1
和42736915.bat
Details File 1
并留下upok.txt
Details File 1
先执行其中的1.bat
Details File 67
1.bat
Details File 1
然后在该目录下释放update.vbs
Details File 17
update.vbs
Details File 1
再运行压缩包中的start.bat
Details File 1
而start.bat
Details File 1
直接调用autoit.exe
Details File 1
au3脚本同目录下的配置文件setting.ini
Details File 1
첨부1_성명_개인정보수집이용동의서.docx
Details File 1313
index.php
Details md5 1
1aac6272dd9b6d05fa256a89677e90b5
Details md5 2
655893b1641565f8ea04da4d74116b8a
Details md5 1
e9db0e7aeb35758c6512d692e938178a
Details md5 1
ff44068ba6ed88e5391452cffb0983be
Details md5 1
7ee77ecd79b69a082750327b5750e6e4
Details md5 1
64fbf63d29cb7e8d813702a2beeee856
Details Url 1
http://settlors.com/get.php下载加密zip压缩包,解压后执行其中的1.bat文件
Details Url 1
http://settlors.com/upload.php
Details Url 1
http://settlors.com/list.php下载cab文件,解压后执行其中的temprun.bat文件
Details Url 1
http://settlors.com/get.php继续向受害者设备投递带有autoit恶意脚本的zip压缩包。根据压缩包中的文件修改时间,恶意脚本cdp.au3很可能在2023年12月就已经投入使用
Details Url 1
https://nasions.com/v1/read/get.php
Details Url 1
http://shakuss.com/upload.php
Details Url 1
http://shakuss.com/list.php
Details Url 1
https://goosess.com/read/get.php
Details Url 1
http://stuckss.com/upload.php
Details Url 1
http://stuckss.com/list.php
Details Url 94
https://sandbox.ti.qianxin.com/sandbox/page
Details Url 1
http://settlors.com/get.php
Details Url 1
http://settlors.com/list.php
Details Url 2
http://oryzanine.com/index.php
Details Url 1
https://www.genians.co.kr/blog/threat_intelligence/bitcoin
Details Url 2
https://asec.ahnlab.com/en/59590
Details Windows Registry Key 200
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Details Windows Registry Key 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User
Details Windows Registry Key 23
HKCU\Software\Microsoft\Internet